Snort mailing list archives
RE: Linktype 113 not decoded
From: "BALDWIN, BILL (SBCSI)" <wb7192 () sbc com>
Date: Mon, 28 Feb 2005 08:47:26 -0600
Also, if I turn on Output alert_full: alert.full It appears that Snort is able to capture the header information: [**] WEB-ATTACKS id command attempt [**] 02/28-14:31:10.793388 203.218.33.49:1337 -> X.X.X.X:80 TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:16759 ***AP*** Seq: 0x78632E02 Ack: 0x8ED8D432 Win: 0x3DBD TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ Both Snort-2.3.0 and Barnyard-0.2.0 are running on the same system. -bill -----Original Message----- Sent: Friday, February 25, 2005 12:47 PM Subject: Re: [Snort-users] Linktype 113 not decoded Looks like you're using cooked sockets (Linux SLL) to acquire the data and Barnyard doesn't know how to process them. You'd have to add a layer 2 decoder for linux SLL traffic before Barnyard will recognize those packets. -Marty On Feb 24, 2005, at 10:12 AM, BALDWIN, BILL (SBCSI) wrote:
I'm running into an issue I hope someone can help with. Environment: Snort-2.3.0 Barnyard-0.2.0 Libpcap-0.7.2-7.E3.2 RedHat ES 3 update 3 SMP (2.4.21-20.Elsmp) The system is running 2 GigE fibre cards that are spanning 2 routers with no ip address and snort starts with -i any. The problem is the alerts have no ip/udp header information. Looking at barnyards dump.log I'm getting "Linktype 113 not decoded. Raw packet dumped" instead of the packet header. If I run tcpdump or ethereal on any of the interfaces, I am able to get all header info. Any help would be greatly appreciated. Bill ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_ide95&alloc_id396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire - Discover. Determine. Defend. roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_ide95&alloc_id396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Linktype 113 not decoded BALDWIN, BILL (SBCSI) (Feb 25)
- <Possible follow-ups>
- Linktype 113 not decoded BALDWIN, BILL (SBCSI) (Feb 25)
- Re: Linktype 113 not decoded Martin Roesch (Feb 25)
- Re: Linktype 113 not decoded Justin Heath (Feb 26)
- Re: Linktype 113 not decoded Martin Roesch (Feb 25)
- RE: Linktype 113 not decoded BALDWIN, BILL (SBCSI) (Feb 28)
- Re: Linktype 113 not decoded Martin Roesch (Mar 03)
- RE: Linktype 113 not decoded BALDWIN, BILL (SBCSI) (Feb 28)
- Re: Linktype 113 not decoded Martin Roesch (Mar 04)
- Re: Linktype 113 not decoded Paul Schmehl (Mar 04)
- Re: Linktype 113 not decoded Martin Roesch (Mar 04)
- RE: Linktype 113 not decoded BALDWIN, BILL (SBCSI) (Mar 11)