Snort mailing list archives

Re: How to write rules for non-TCP (LLC) packets?

From: Russ Combs <rcombs () sourcefire com>
Date: Tue, 23 Apr 2013 16:08:18 -0400

The datalink type in the pcap is ethernet but that doesn't match the outer
layer encapsulation.  You need some way to skip over those first 12 bytes.
 It is fairly easy to patch Snort to do that, but having a different DLT to
key off of would be best.

On Tue, Apr 23, 2013 at 1:49 PM, Eric Fowler <eric.fowler () gmail com> wrote:

Tried that. It misses 'em.

The LLC designation is wrong, I have seen other packets marked as IPX and
containing valid data, which is totally impossible. So the headers are
getting munged and wireshark is getting confused.

Maybe I need a lower level tool.

Eric


On Tue, Apr 23, 2013 at 10:32 AM, Joel Esler <jesler () sourcefire com>wrote:

On Apr 23, 2013, at 1:11 PM, Eric Fowler <eric.fowler () gmail com> wrote:

I have a connection between two devices with fixed, known IP addresses
bound to fixed, known MAC addresses, that are communicating on known IP
ports. The traffic going both ways is UDP, but when I snort the packets,
the adapter (or driver, not clear) is messing with the headers and
confusing snort, wireshark, and all other pcap applications I can find. In
particular,snort and wireshark are not able to detect these packets as
being UDP, and can't see IP addresses, even though they are embedded in the
packets (the interface adds 12 bytes of header upstream).

I have tried configuring the interface *not* to do this but that has
ultimately been fruitless. Now I am trying to work with what I have.

I have noticed that the packets I need are flagged in Wireshark as
protocol LLC. I am able to extract (in wireshark) a filter with the MAC
addresses, and the MAC addresses look fine in the display.

I wish to find a way to trap all traffic coming to/from these mac
addresses that "looks like" LLC packets, and find and print the payload
data.

I am using snort rules, but since snort only understands TCP, UDP, etc.
as protocols (not LLC, too low level), none of the alerts fire.

So the question at long last is: how can I write a snort rule that will
alert on all packets (1) coming from a given mac address or (2) with
certain bytes (IP addresses) at certain offsets or (3) that look like LLC
packets?



try "alert ip"

--
*Joel Esler*
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire




------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

How to write rules for non-TCP (LLC) packets? Eric Fowler (Apr 23)
- Re: How to write rules for non-TCP (LLC) packets? Joel Esler (Apr 23)
  - Re: How to write rules for non-TCP (LLC) packets? Eric Fowler (Apr 23)
    - Re: How to write rules for non-TCP (LLC) packets? Russ Combs (Apr 23)
    - Re: How to write rules for non-TCP (LLC) packets? Eric Fowler (Apr 23)
    - Re: How to write rules for non-TCP (LLC) packets? Russ Combs (Apr 24)