Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Detecting ARP and "OTHER" protocols

From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com>
Date: Fri, 13 Sep 2002 15:46:27 -0400

Hello,

I'm running Snort 1.8.7 on RHLinux7.0

I was looking at my Snort stats and notice that is says it detected ARP
packets and "OTHER" packets besides IP/TCP/UDP. Since Snort seems to know
about ARP packets, as a test, I created a test rule to alert whenever an ARP
packet is detected so I can get an idea what is going on on my network. I
started by creating a rule like this:

alert arp any any -> any any (msg:"ARP packets detected";)

Though I got a segmentation fault (core dump). Is there another way I can do
this or is Snort not capable of alerting on ARP packets? 


I was also looking to determine what "OTHER" protocols Snort claims it is
seeing out there. What would be the best way to do this? It would seem
logical to use an alert such as:

alert !ip any any -> any any (msg:"Non-IP packets detected";)

but this didn't work either.

I was hoping someone had some tips on the above.....thanks!




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: