Snort mailing list archives

Snort and PPPoE / tun interface

From: UIA Security Team <security () uia net>
Date: Mon, 23 Jun 2003 09:59:36 -0700

All,

We are running Snort 2.0 on FreeBSD and are having some trouble getting itto work on PacBell DSL, which is PPPoE.

1. Can snort decode "raw" PPPoE yet? I saw that several people have askedabout this type of connection, and Marty posted back in 2/2000(http://marc.theaimsgroup.com/?l=snort-users&m=98048822028060&w=2) that hewould work on a decoder for this. If so, we could use it on the externalinterface (in our case, fxp0):


 /usr/local/bin/snort -i fxp0 -deN -c /etc/ids/snort.conf -l /var/log/snort

[...]

Snort analyzed 217 out of 217 packets, dropping 0(0.000%) packets

Breakdown by protocol:                Action Stats:
    TCP: 28         (12.903%)         ALERTS: 0
    UDP: 26         (11.982%)         LOGGED: 0
   ICMP: 0          (0.000%)          PASSED: 0
    ARP: 0          (0.000%)
  EAPOL: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 158        (72.811%)
DISCARD: 0          (0.000%)


2.  How come Snort won't decode on a tun interface (tun/tap driver)?

/usr/local/bin/snort -i tun99 -deN -c /etc/ids/snort.conf -l /var/log/snort

Initializing Network Interface tun99

        --== Initializing Snort ==--
Initializing Output Plugins!
Decoding LoopBack on interface tun99
Data link layer header parsing for this network  type isn't implemented yet

[...]

Snort analyzed 493 out of 493 packets, dropping 0(0.000%) packets

Breakdown by protocol:                Action Stats:
    TCP: 90         (18.256%)         ALERTS: 0
    UDP: 78         (15.822%)         LOGGED: 0
   ICMP: 12         (2.434%)          PASSED: 0
    ARP: 0          (0.000%)
  EAPOL: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 310        (62.880%)
DISCARD: 0          (0.000%)


We sent it some events that should have triggered alerts.

Any thoughts on this, anyone? Help would be much appreciated. Surelythere is someone out there doing this already?


Thanks,

--Liam



-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort and PPPoE / tun interface UIA Security Team (Jun 23)
- Re: Snort and PPPoE / tun interface Liam Reimers (Jun 25)
  - Re: Re: Snort and PPPoE / tun interface Rich Adamson (Jun 25)
  - Re: Re: Snort and PPPoE / tun interface Erek Adams (Jun 25)
- <Possible follow-ups>
- Re: Snort and PPPoE / tun interface UIA Security Team (Jun 24)