[Snort-devel] Protocol plugin

Andrew R. Baker andrewb at ...835...
Mon Sep 1 19:44:02 EDT 2003


Jeremy F Stephens wrote:
> Hi,
> 
> On my network, I set up a snort daemon to track traffic (among other 
> things, of course), and every week a cron job runs that sends snort's 
> internal statistics to root's mail account.  I noticed that more than 
> half of the traffic on my network is included in the "OTHER" protocol 
> category.  I did a tcpdump, and I found that I'm getting packets on the 
> 'snap' protocol and one other protocol that I can't remember off hand.  
> So, is it possible to write a plugin that handles these other 
> protocols?  I noticed in the snort documentation that it only handles 4 
> different kinds.

Are you also seeing 802.3 Ethernet headers?  SNAP frames indicate that 
you are seeing some IPX traffic.  This can be caused simply by running 
with network switches that have spanning tree enabled.  As you have 
already found out, Snort does not support decoding this traffic and 
classifies it as "other".  It would be possible to extend the Snort 
decoder to process these other protocol.

As for Snort only handling 4 different kinds of protocols, that is a bit 
of a mis-statement.  Snort only handles writing rules for IP packets 
(with specific capabilities for matching against TCP, UDP, and ICMP 
header information).  It is capable of decoding many lower layer 
protocols that IP is commonly found on top of.

-A





More information about the Snort-devel mailing list