Re: [PATCH] Add non-IP layer 3 detection via new 'ether_type' keyword and 'eth' protocol

[Joshua Kinard <kumba () gentoo org>]

On 11/13/2011 16:37, Joshua Kinard wrote:

> Hi snort-devel,
>
> I decided to play around some more in src/decode.c, and got to thinking,
> with all of these additional Decode* functions that don't seem to see a lot
> of use, why not provide some baseline support to at least scan some of the
> protocols?
>
> End result is I didn't fiddle with too much in decoder.c, but wound up
> adding a new rule protocol, "eth", and a new rule option, "ether_type".  The
> purpose is to open up Snort to detecting things other than IP-based traffic
> by leveraging the existing capabilities of the fast-pattern matcher and
> detection engine.

Okay, I forgot to synchronize SFSnortPacket in sf_snort_packet.h with the
changes I made to Packet in decode.h, which resulted in an alignment problem
in any of the dynamic preprocessors.  The attached patch fixes this.

Any comment so far?  List has been dead all week.

-- 
Joshua Kinard
Gentoo/MIPS
kumba () gentoo org
4096R/D25D95E3 2011-03-28

"The past tempts us, the present confuses us, the future frightens us.  And
our lives slip away, moment by moment, lost in that vast, terrible in-between."

--Emperor Turhan, Centauri Republic

Attachment: snort-2.9.2-ether_type-support.patch
Description:

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!