Snort mailing list archives
Re: Re: Snort and PPPoE / tun interface
From: Rich Adamson <radamson () routers com>
Date: Wed, 25 Jun 2003 08:48:52 -0600
Liam, I don't use FreeBSD nor am I a PPPoE user, therefore my comments might be way off base.
Snort analyzed 217 out of 217 packets, dropping 0(0.000%) packets Breakdown by protocol: Action Stats: TCP: 28 (12.903%) ALERTS: 0 UDP: 26 (11.982%) LOGGED: 0 ICMP: 0 (0.000%) PASSED: 0 ARP: 0 (0.000%) EAPOL: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 158 (72.811%) DISCARD: 0 (0.000%)
The above implies to me that snort has in fact seen 28 tcp and 26 udp packets. Not sure what the "other" protocol represents, but quite likely to be Netbios or some other non-IP oriented packets.
2. How come Snort won't decode on a tun interface (tun/tap driver)?
Pure guess is the Pcap driver used by snort is before the tun/tap drivers.
Snort analyzed 493 out of 493 packets, dropping 0(0.000%) packets Breakdown by protocol: Action Stats: TCP: 90 (18.256%) ALERTS: 0 UDP: 78 (15.822%) LOGGED: 0 ICMP: 12 (2.434%) PASSED: 0 ARP: 0 (0.000%) EAPOL: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 310 (62.880%) DISCARD: 0 (0.000%) We sent it some events that should have triggered alerts. Any thoughts on this, anyone? Help would be much appreciated. Surely there is someone out there doing this already?
Run snort in packet capture mode and look at the packets displayed with -ved. If you recognize the packets as valid IP stuff, then you may have an issue with how you defined HOME_NET in the snort.conf file. If the packets are truly encapsulated, then pcap is probably sniffing packets before they get to the PPPoE drivers. You're probably not getting anyone to respond to your post because a) there isn't enough information in your post to even take a wild guess, b) few (if any) snort users likely use PPPoE (and more then likely, few have any technical understanding as to detailed packet flows involved), and c) the combination of FreeBSD "and" PPPoE users is very likely to be a small or non-existent group that probably do not have the programming skills necessary to write/support the code to do this. Purely a guess on my part... Rich ------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort and PPPoE / tun interface UIA Security Team (Jun 23)
- Re: Snort and PPPoE / tun interface Liam Reimers (Jun 25)
- Re: Re: Snort and PPPoE / tun interface Rich Adamson (Jun 25)
- Re: Re: Snort and PPPoE / tun interface Erek Adams (Jun 25)
- <Possible follow-ups>
- Re: Snort and PPPoE / tun interface UIA Security Team (Jun 24)
- Re: Snort and PPPoE / tun interface Liam Reimers (Jun 25)