RE: Linktype 113 not decoded

["BALDWIN, BILL (SBCSI)" <wb7192 () sbc com>]

Martin,
Thanks for the help.  Unfortunately the patch did not cure our ills.  I
pulled down a fresh barnyard-0.2.0 and:

mv barnyard-0.2.0 barnyard
patch -p0 </tmp/by.patch
cd barnyard
./configure
make
<snip>
Making all in src
make[2]: Entering directory `/tmp/by2/barnyard/src'
Making all in output-plugins
make[3]: Entering directory
`/tmp/by2/barnyard/src/output-plugins'
gcc -DHAVE_CONFIG_H -I. -I. -I../.. -I../..
-I../../src -I/usr/include/pcap  -I/usr/include/mysql
-DENABLE_MYSQL  -g -O2 -Wall -c op_decode.c
In file included from op_decode.c:24:
op_decode.h:25:24: net/if_var.h: No such file or
directory
In file included from op_decode.c:24:
op_decode.h:708: `IFNAMSIZ' undeclared here (not in a
function)
op_decode.h:715: confused by earlier errors, bailing
out
make[3]: *** [op_decode.o] Error 1
make[3]: Leaving directory
`/tmp/by2/barnyard/src/output-plugins'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/tmp/by2/barnyard/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/tmp/by2/barnyard'
make: *** [all-recursive-am] Error 2

I removed the entry in op_decode.h to #include "net/if_var.h".  I could
not find any #DEFINES for IFNAMSIZ other than 
#if defined(WIN32) && !defined(IFNAMSIZ)
#include "libnet/IPExport.h"
#define IFNAMESIZ MAX_ADAPTER_NAME
#endif

Seeing that IFNAMSIZ was needed in struct _Pflog_hdr, I hardcoded the
ifname[IFNAMESIZE] to ifname[30];

That gets it to compile.  When it runs is another problem.  Here is some
output from dump.log:

[**] [1:2182:8] BACKDOOR typot trojan traffic [**]
[Classification: A Network Trojan was detected]
[Priority: 1]
[Xref => http://vil.nai.com/vil/content/v_100406.htm]
Event ID: 1     Event Reference: 1
01/01/70-00:00:00.000057 131.46.1.15 -> 133.236.63.0
DDX TTL:62 TOS:0x83 ID:0 IpLen:20 DgmLen:15628
IP Options (16) => Opt 184: 9824 ADFB 0040 5EB7 0040
5EB7 0040 5EB7 0040 5EB7 0040
5EB7 0040 5EB7 0040 5EB7 0050 5EB7 0000 0000 0000 0000
0000 0000 0000 0000 C0E5 3608 0600 0000 0000 0000 0000
0000 0000 0000 9098 3708 FFFF FFFF FFFF FFFF 0000 0000
9C98 3708 FFFF FFFF 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000
...<snip>

The output for each logged event contains many, many, many more lines of
"0000".  After logging a couple of these events, barnyard dies.  It
should also be noted that the addresses captured above are not in our
network and are not routed by our network.

Thanks for your help.  Please let me know what I can do to help you.

-bill
  

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Martin
Roesch
Sent: Friday, March 04, 2005 10:11 PM
To: BALDWIN, BILL (SBCSI)
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Linktype 113 not decoded


Hi Bill,

Here's a quick and dirty patch that you can apply to Barnyard that'll 
add SLL support to its decoder.  if you patch the barnyard code set 
with this and then try to reprocess your unified files it'll probably 
work.  Let me know what you find.  I don't have any SLL unified files 
to test with, so this compiles but hasn't been operationally tested...

Let me know how it goes.

      -Marty




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users