[Snort-devel] PPPoE when PPP i/f not local to snort

Wynn Fenwick wfenwick at ...587...
Thu Aug 9 18:56:38 EDT 2001


Hey All,

I'm running Nortel Instant Internet to terminate my PPPoE from my ISP,
do NAT, filtering and proxying, etc for my home LAN. I have created a
DMZ between the II and the DSL modem where ONLY PPPoE flows. I want to
run my Snort sensor in stealth mode without an IP in parallel to the II
box and the stealth interface pointed at the PPPoE hub. Everything works
wonderfully with tcpdump, as you can see this Code-Red scan was picked
up with that setup:


22:04:29.366347 PPPoE  [ses 0x1ed7] IP 50: y.qc.sympatico.ca.3455 > x.sympatico.ca.www: S 1439538750:1439538750(0) win 16384 <mss 1414,nop,nop,[|tcp]> (DF)

22:04:29.366347 PPPoE  [ses 0x1ed7] IP 42: x.sympatico.ca.www > y.qc.sympatico.ca.3455: R 0:0(0) win 0

22:04:29.986347 PPPoE  [ses 0x1ed7] IP 50: y.qc.sympatico.ca.3455 > x.sympatico.ca.www: S 1439538750:1439538750(0) win 16384 <mss 1414,nop,nop,[|tcp]> (DF)

22:04:29.986347 PPPoE  [ses 0x1ed7] IP 42: x.sympatico.ca.www > y.qc.sympatico.ca.3455: R 0:0(0) win 0

Now, when I run Snort, I get nothing, even though I have scanned myself
trying to trigger stuff. Is it because libpcap is not decoding the IP
that is encapsulated in the PPPoE frames, or is it because snort is not
looking at anything other than IP type 1, 6, and 17 datagrams?

I'd dive into the souces and start fixing but it will take me quite
awhile on my own (been awhile since I did any of that), and I don't want
to be working on it in a vacuum, should I decide to.

Opinions/suggestions/flames are welcomed.

W


--
FHLSim - The Fantasy Hockey League Simulator of Choice
http://www.FHLSim.com/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20010809/d4b57087/attachment.html>


More information about the Snort-devel mailing list