[Snort-devel] PPPoE decoding

Matt Thompson mthompson at ...2407...
Fri Feb 27 19:01:01 EST 2004


There is a problem when decoding PPPoE packets since the Packet->pkt pointer is not reset to the beginning of the ethernet header, it is being set to the PPP headers.  I've included a patch.

This causes barnyard to ignore all of the alerts when it tries to decode.

I'm using a passive tap on a DSL connection, connected to two ethernet ports that act as a bridge on the sensor.  Snort is configured to listen from the bridge to see a reassembly of the split streams out of a tap.  Would be nice to see Snort be able to listen off multiple interfaces for tap use to avoid the software bridge.

Matt Thompson


--- decode.c    Mon Oct 20 11:03:17 2003
+++ decode-fix.c        Fri Feb 27 21:38:36 2004
@@ -101,8 +101,9 @@
     {
         case ETHERNET_TYPE_PPPoE_DISC:
         case ETHERNET_TYPE_PPPoE_SESS:
             DecodePPPoEPkt(p, pkthdr, pkt);
+           p->pkt = pkt;
             return;

         case ETHERNET_TYPE_IP:
             DEBUG_WRAP(


---
[This E-mail scanned for viruses]





More information about the Snort-devel mailing list