AW: [Snort-users] WG: Snort and ippp0 Interface

Carsten Blume cblume at ...1789...
Thu Apr 19 08:46:55 EDT 2001


FYI: it works now with kernel 2.2.19, libpcap 0.6.2 and the current
CVS snapshot (and even with ACID v0.9.6b6).

thanks to <insert name here> for fixing

Greetings
Carsten Blume

>-----Ursprüngliche Nachricht-----
>Von: Carsten Blume [mailto:cblume at ...1789...]
>Gesendet: Mittwoch, 11. April 2001 13:56
>An: 'snort-users at lists.sourceforge.net'
>Betreff: [Snort-users] WG: Snort and ippp0 Interface
>
>
>Some more info:
>When i use the old version of libpcap i get the error shown below,
>so IMHO libpcap 0.6.2 is the modified one but Snort is not able 
>to recognize/handle this kind of traffic.
>
>Is there a solution/patch available?
>
>Carsten
>
>-*> Snort! <*-
>Version 1.7
>By Martin Roesch (roesch at ...66..., www.snort.org)
>[!] WARNING: Not IPv4 datagram! ([ver: 0x0][len: 0x3])
>04/11-13:47:13.719528 xx.xx.xx.xx:29514 -> xx.xx.xx.xx:22
>TCP TTL:121 TOS:0x0 ID:14755 IpLen:20 DgmLen:40 DF
>***A**** Seq: 0x1AB95  Ack: 0xF4A589EF  Win: 0x2114  TcpLen: 20
>
>=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
>+=+=+=+=+=+
>
>[!] WARNING: Not IPv4 datagram! ([ver: 0x0][len: 0x3])
>[!] WARNING: Not IPv4 datagram! ([ver: 0x0][len: 0x3])
>[!] WARNING: Not IPv4 datagram! ([ver: 0x0][len: 0x3])
>[!] WARNING: Not IPv4 datagram! ([ver: 0x0][len: 0x3])
>04/11-13:47:13.850880 xx.xx.xx.xx:29514 -> xx.xx.xx.xx:22
>TCP TTL:121 TOS:0x0 ID:15011 IpLen:20 DgmLen:40 DF
>***A**** Seq: 0x1AB95  Ack: 0xF4A58C7F  Win: 0x1E84  TcpLen: 20
>
>=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
>+=+=+=+=+=+
>
>>-----Ursprüngliche Nachricht-----
>>Von: Carsten Blume 
>>Gesendet: Mittwoch, 11. April 2001 11:50
>>An: 'snort-users at lists.sourceforge.net'
>>Betreff: Snort and ippp0 Interface
>>
>>
>>Hi,
>>
>>here is the error message i receive when i try to start snort
>>on my ippp0 interface.
>>
>>Snort Version 1.7
>>
>>www:/var/log # snort -edv -i ippp0
>>        --== Initializing Snort ==--
>>Initializing Network Interface ippp0
>>snort cannot handle data link type 113
>>Exiting...
>>
>>While debugging i found the following  in snort.c :
>>
>>/*
>>* you need the I4L modified version of libpcap to get this stuff
>>* working
>>*/
>>
>>But where do i get this version? I fetched the latest version 
>>of libpcap from
>>www.tcdump.org but i still get the same error message. (BTW: 
>>the version available 
>>on the download section is 0.4. The one available on 
>>www.tcdump.org is 0.6.2).
>>
>>I queried google but did not receive something useful except 
>>one message 
>>regarding bpf.h:
>>http://archives.neohapsis.com/archives/snort/2001-02/0338.html
>>
>>Could someone please tell me where i can get this *$%&$& 
>>version of libpcap
>>because having Snort listening on my internal eth0 interface is not
>>really exciting ;-)
>>
>>Thanks in advance
>>
>>Carsten Blume
>>
>>N.B: please tell me if the tcpdump workers mailing list is a better
>>place for this e-mail
>>
>
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>http://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list