Snort mailing list archives

Re: Snort and PPPoE / tun interface

From: Liam Reimers <jax () uia net>
Date: Tue, 24 Jun 2003 08:59:30 -0700

Morning folks,

I saw some list traffic about repetitive questions, and I hope I don't fallinto that category. I did about 3 hours worth of research into this issue,looking at the snort.org docs, readmes, and list archives, and didn't finda definitive answer or solution for this issue.

If anyone knows where I may have missed the answer, I'd really appreciateit. I'm re-posting my question to the list as I haven't received -any-replies at all, not even a single snide RTFM ;)


Thanks folks,

--Liam

At 09:59 AM 6/23/2003 -0700, UIA Security Team wrote:

All,

We are running Snort 2.0 on FreeBSD and are having some trouble getting itto work on PacBell DSL, which is PPPoE.

1. Can snort decode "raw" PPPoE yet? I saw that several people haveasked about this type of connection, and Marty posted back in 2/2000(http://marc.theaimsgroup.com/?l=snort-users&m=98048822028060&w=2) that hewould work on a decoder for this. If so, we could use it on the externalinterface (in our case, fxp0):


 /usr/local/bin/snort -i fxp0 -deN -c /etc/ids/snort.conf -l /var/log/snort

[...]

Snort analyzed 217 out of 217 packets, dropping 0(0.000%) packets

Breakdown by protocol:                Action Stats:
    TCP: 28         (12.903%)         ALERTS: 0
    UDP: 26         (11.982%)         LOGGED: 0
   ICMP: 0          (0.000%)          PASSED: 0
    ARP: 0          (0.000%)
  EAPOL: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 158        (72.811%)
DISCARD: 0          (0.000%)


2.  How come Snort won't decode on a tun interface (tun/tap driver)?

/usr/local/bin/snort -i tun99 -deN -c /etc/ids/snort.conf -l /var/log/snort

Initializing Network Interface tun99

        --== Initializing Snort ==--
Initializing Output Plugins!
Decoding LoopBack on interface tun99
Data link layer header parsing for this network  type isn't implemented yet

[...]

Snort analyzed 493 out of 493 packets, dropping 0(0.000%) packets

Breakdown by protocol:                Action Stats:
    TCP: 90         (18.256%)         ALERTS: 0
    UDP: 78         (15.822%)         LOGGED: 0
   ICMP: 12         (2.434%)          PASSED: 0
    ARP: 0          (0.000%)
  EAPOL: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 310        (62.880%)
DISCARD: 0          (0.000%)


We sent it some events that should have triggered alerts.

Any thoughts on this, anyone? Help would be much appreciated. Surelythere is someone out there doing this already?


Thanks,

--Liam



Liam Reimers, Senior Systems Programmer
ULTIMATE Internet Access, Inc.
(909) 605-2000 or Toll Free (800) 982-6898
http://www.uia.net



-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort and PPPoE / tun interface UIA Security Team (Jun 23)
- Re: Snort and PPPoE / tun interface Liam Reimers (Jun 25)
  - Re: Re: Snort and PPPoE / tun interface Rich Adamson (Jun 25)
  - Re: Re: Snort and PPPoE / tun interface Erek Adams (Jun 25)
- <Possible follow-ups>
- Re: Snort and PPPoE / tun interface UIA Security Team (Jun 24)