BPF Alternative for PPPOE?

["Richard A. Burman III" <Richard.Burman () cinagen com>]

Hello,

 

I am currently using Snort 2.0 (Build 72), libpcap-0.7.2, tcpdump 3.7.2 all
on RedHat 9, with Acid, mysql, and snortcenter, all running nicely on RedHat
9.  My question pertains to an issue with BPF and PPPOE.  I understand that
when tapping a connection between the DSL modem interface and the red
Ethernet interface on the Firewall, that the traffic is all encapsulated and
snort seems to have no problem reading and discerning based on the ruleset.


 

The problem is after I spent a good evening educating myself on tcpdump, and
writing bpf filters and running a few tests on the filters I wrote using
tcpdump (i.e.  tcpdump -i eth1 -n -F /etc/snort/mybpf.conf   (right from
page 186 of my fresh new Snort 2.0 book!!!-great book btw)) I discovered
that tcpdump cannot discern PPPOE as valid (TRUE) traffic and therefore
never will match the filter.  I know that there is an option if the
Interface on the particular box, is of the SLIP/PPP? nature, you can use the
outbound/inbound option to write your filter, but it will not allow me to
use that same setting on a standard stealthed interface that is tapping the
link.  

 

This really only poses an immediate problem for me on my home machine, since
the people we service now all have screening routers, but we were planning
on rolling out a few small servers to some of our customers who are using
DSL.  I realize that the typical user environment that would benefit from
bpfs are high-bandwidth users, and it helps by keeping unnecessary traffic
from ever tasking the engine and risk of packet loss is decreased.  Being
that DSL is limited in bandwidth, I really doubt that most decent interfaces
would ever drop a packet with the bandwidth throttled as such.  But the nice
feature of bpfs that interested me equally was the ability to relieve
altogether the traffic that does not need to be detected by snort.  My
success in using the snort.conf  for excluding hosts either src, dst, or
both has been hit and miss.  Bpfs just seemed better being that the .conf
file is a somewhat dynamic file, and changes are tweaked here and there and
bpfs are just there..nice, clean and neat and it is a single place to add
exclusions to clean up those unnecessary events. 

 

Sorry to ramble, but I wanted to be as specific as possible and hope that
someone might have a suggestion as to what I can do.  I tried just for grins
to see if snort treated the bpf any different than tcpdump did, but did not
seem to have any success (with PPPOE).  In the meantime, I will read-up a
little more on excluding hosts in the snort.conf file and welcome any
suggestions. 

 

Thank you!

 

 

Richard A. Burman III

Cinagen, Inc.