[Snort-devel] Re: small patch for snort's PPP decoder

Martin Roesch roesch at ...48...
Sat Jan 27 02:31:26 EST 2001


Hi Thomas,
     Thanks for the patch, we've patched the decoder with your code and
checked it into the CVS archive.  Thanks again!

   -Marty

Thomas Moestl wrote:
> 
> Hi,
> 
> while toying around with snort on a dialup line, I have noticed that
> some incoming packets would get handled in a incorrect way, some
> generating spurious alerts.
> 
> The reason is simple: DecodePppPkt treats all incoming packets as
> IP packets, but ppp has it's own protocol field and may encapsulate
> different protocols. The way things are currently handled, snort
> might also interpret LCP, IPCP and authorization packets wrongly,
> because those will also be received on raw sockets (at least on
> FreeBSD). I have attached a small patch that makes DecodePppPkt
> honor the PPP protocol fields: packets of unknown types are discarded
> (eg LCP and IPCP packets) and IP and IPX packets are decoded
> accordingly. Uncompressed VJ  (Van Jacobson compression) packets
> are also handled; the compression in this case just alters the protocol
> field to hold some state, so it only needs to be set to IPPROTO_TCP
> (only TCP packets can be VJ compressed). I also print a warning when
> the first actual compressed VJ frame is received, so that users know
> that those packets cannot be decoded and don't feel safe. Full-blown
> VJ decompression would probably need some kind of PPP state machine
> (the compression is stateful).
> 
> I have not taken much time to familiarize myself with the snort
> coding style, but I hope the patch is acceptable anway ;-)
> 
>         - thomas
> 
> PS: please CC me when answering to the list.
> 
>   ------------------------------------------------------------------------
> 
>    snort.diffName: snort.diff
>              Type: Plain Text (text/plain)

--
Martin Roesch
roesch at ...48...
http://www.snort.org




More information about the Snort-devel mailing list