Snort mailing list archives
Re: Snort and PPPoE / tun interface
From: Liam Reimers <jax () uia net>
Date: Tue, 24 Jun 2003 08:59:30 -0700
Morning folks,I saw some list traffic about repetitive questions, and I hope I don't fall into that category. I did about 3 hours worth of research into this issue, looking at the snort.org docs, readmes, and list archives, and didn't find a definitive answer or solution for this issue.
If anyone knows where I may have missed the answer, I'd really appreciate it. I'm re-posting my question to the list as I haven't received -any- replies at all, not even a single snide RTFM ;)
Thanks folks, --Liam At 09:59 AM 6/23/2003 -0700, UIA Security Team wrote:
All,We are running Snort 2.0 on FreeBSD and are having some trouble getting it to work on PacBell DSL, which is PPPoE.1. Can snort decode "raw" PPPoE yet? I saw that several people have asked about this type of connection, and Marty posted back in 2/2000 (http://marc.theaimsgroup.com/?l=snort-users&m=98048822028060&w=2) that he would work on a decoder for this. If so, we could use it on the external interface (in our case, fxp0):/usr/local/bin/snort -i fxp0 -deN -c /etc/ids/snort.conf -l /var/log/snort [...] Snort analyzed 217 out of 217 packets, dropping 0(0.000%) packets Breakdown by protocol: Action Stats: TCP: 28 (12.903%) ALERTS: 0 UDP: 26 (11.982%) LOGGED: 0 ICMP: 0 (0.000%) PASSED: 0 ARP: 0 (0.000%) EAPOL: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 158 (72.811%) DISCARD: 0 (0.000%) 2. How come Snort won't decode on a tun interface (tun/tap driver)? /usr/local/bin/snort -i tun99 -deN -c /etc/ids/snort.conf -l /var/log/snort Initializing Network Interface tun99 --== Initializing Snort ==-- Initializing Output Plugins! Decoding LoopBack on interface tun99 Data link layer header parsing for this network type isn't implemented yet [...] Snort analyzed 493 out of 493 packets, dropping 0(0.000%) packets Breakdown by protocol: Action Stats: TCP: 90 (18.256%) ALERTS: 0 UDP: 78 (15.822%) LOGGED: 0 ICMP: 12 (2.434%) PASSED: 0 ARP: 0 (0.000%) EAPOL: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 310 (62.880%) DISCARD: 0 (0.000%) We sent it some events that should have triggered alerts.Any thoughts on this, anyone? Help would be much appreciated. Surely there is someone out there doing this already?Thanks, --Liam
Liam Reimers, Senior Systems Programmer ULTIMATE Internet Access, Inc. (909) 605-2000 or Toll Free (800) 982-6898 http://www.uia.net ------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort and PPPoE / tun interface UIA Security Team (Jun 23)
- Re: Snort and PPPoE / tun interface Liam Reimers (Jun 25)
- Re: Re: Snort and PPPoE / tun interface Rich Adamson (Jun 25)
- Re: Re: Snort and PPPoE / tun interface Erek Adams (Jun 25)
- <Possible follow-ups>
- Re: Snort and PPPoE / tun interface UIA Security Team (Jun 24)
- Re: Snort and PPPoE / tun interface Liam Reimers (Jun 25)