[Snort-devel] PPPoE decoding
mthompson at ...2407...
Fri Feb 27 19:01:01 EST 2004
There is a problem when decoding PPPoE packets since the Packet->pkt pointer is not reset to the beginning of the ethernet header, it is being set to the PPP headers. I've included a patch.
This causes barnyard to ignore all of the alerts when it tries to decode.
I'm using a passive tap on a DSL connection, connected to two ethernet ports that act as a bridge on the sensor. Snort is configured to listen from the bridge to see a reassembly of the split streams out of a tap. Would be nice to see Snort be able to listen off multiple interfaces for tap use to avoid the software bridge.
--- decode.c Mon Oct 20 11:03:17 2003
+++ decode-fix.c Fri Feb 27 21:38:36 2004
@@ -101,8 +101,9 @@
DecodePPPoEPkt(p, pkthdr, pkt);
+ p->pkt = pkt;
[This E-mail scanned for viruses]
More information about the Snort-devel