[Snort-devel] Protocol plugin
Andrew R. Baker
andrewb at ...835...
Mon Sep 1 19:44:02 EDT 2003
Jeremy F Stephens wrote:
> On my network, I set up a snort daemon to track traffic (among other
> things, of course), and every week a cron job runs that sends snort's
> internal statistics to root's mail account. I noticed that more than
> half of the traffic on my network is included in the "OTHER" protocol
> category. I did a tcpdump, and I found that I'm getting packets on the
> 'snap' protocol and one other protocol that I can't remember off hand.
> So, is it possible to write a plugin that handles these other
> protocols? I noticed in the snort documentation that it only handles 4
> different kinds.
Are you also seeing 802.3 Ethernet headers? SNAP frames indicate that
you are seeing some IPX traffic. This can be caused simply by running
with network switches that have spanning tree enabled. As you have
already found out, Snort does not support decoding this traffic and
classifies it as "other". It would be possible to extend the Snort
decoder to process these other protocol.
As for Snort only handling 4 different kinds of protocols, that is a bit
of a mis-statement. Snort only handles writing rules for IP packets
(with specific capabilities for matching against TCP, UDP, and ICMP
header information). It is capable of decoding many lower layer
protocols that IP is commonly found on top of.
More information about the Snort-devel