Snort mailing list archives

Re: Snort extension for layer 2 attacks

From: Awais Ali via Snort-devel <snort-devel () lists snort org>
Date: Mon, 2 Mar 2020 16:25:59 +0100

I know there is ARP preprocessor in snort. But I want to detect attacks in
special layer 2 protocols like Goose, CDP etc.
If I want to detect the attacks in the payload of the Goose protocol then
there is no such solution since snort detects payload of layer 3 and above.
There are many such special protocols in in layer 2 where if you want to
detect regular extensions/content in the payload then there is no such
solution.

I want to extend snort in this domain by writing decoders of that
particular protocol the way we have for other protocols like tcp/udp above
layer 3.
I need guidelines and little bit technical support from you guys or any
better solution to do this task using snort.

I hope you will cooperate in this regard. I am looking forward to hearing
from you.

Thanks,
Awais Ali

On Mon, 2 Mar 2020, 15:35 Joel Esler (jesler), <jesler () cisco com> wrote:

We already have a layer 2 tool, check out the arpspoof preprocessor.

--
Joel Esler
Manager, Communities Division
Cisco Talos Intelligence Group
http://www.talosintelligence.com

On Feb 28, 2020, at 12:56 PM, Awais Ali via Snort-devel <
snort-devel () lists snort org> wrote:

Hello all,
I am master student working in siemens AG, now a days I am working on
possible extension of snort for layer 2 attacks. As per my understanding, I
need to write decoder for that particular protocol and preprocessor as well.


Can someone guide me how I can write decoder for any given layer 2
protocol? The way snort parses the protocols for layer 3 and above. I hope
you will cooperate in this regard.

Thanks,
Awais Ali
_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Snort extension for layer 2 attacks Awais Ali via Snort-devel (Mar 02)
- Re: Snort extension for layer 2 attacks Joel Esler (jesler) via Snort-devel (Mar 02)
  - Re: Snort extension for layer 2 attacks Awais Ali via Snort-devel (Mar 02)
    - Re: Snort extension for layer 2 attacks Al Lewis (allewi) via Snort-devel (Mar 02)
    - Re: Snort extension for layer 2 attacks Nicholas Mavis (Mar 02)
    - Re: Snort extension for layer 2 attacks Chamara Devanarayana via Snort-devel (Mar 05)
    - Re: Snort extension for layer 2 attacks Awais Ali via Snort-devel (Mar 05)
    - Re: Snort extension for layer 2 attacks Awais Ali via Snort-devel (Mar 06)