[Snort-users] snort 1.7 on OpenBSD and null header length

Todd Ransom TRansom at ...197...
Wed Jan 31 00:09:54 EST 2001


This brings up another interesting point.  I want to move snort to a
different system, in parallel with my firewall, but this means it will
only see PPPoE traffic.  Is this going to work?  Ethereal seems to
automagically decode a tcpdump formatted file that contains nothing but
PPPoE traffic, but will my snort signatures still match?

thanks for all your help and for snort itself,
TR

> -----Original Message-----
> From: Martin Roesch [mailto:roesch at ...421...]
> Sent: Friday, January 26, 2001 12:32 AM
> To: Todd Ransom
> Cc: Snort-Users (E-mail)
> Subject: Re: [Snort-users] snort 1.7 on OpenBSD and null header length
> 
> 
> The NULL interface is usually the loopback.  Hmm, PPPoE isn't 
> supported
> in Snort currently, that's probably going to cause a problem. 
>  I'll take
> a look at the RFC and see if we can code up a decoder for it.
> 
>      -Marty
> 
> Todd Ransom wrote:
> > 
> > I'm listening on tun0 (PPPoE).  What the heck is a NULL interface?
> > 
> > TR
> > 
> > -----Original Message-----
> > From: Martin Roesch [mailto:roesch at ...421...]
> > Sent: Thursday, January 18, 2001 1:48 AM
> > To: Todd Ransom
> > Cc: Snort-Users (E-mail)
> > Subject: Re: [Snort-users] snort 1.7 on OpenBSD and null 
> header length
> > 
> > The header length for the NULL interface that you're listening on is
> > less than 4 bytes.  You can turn off this message by simply 
> editing the
> > DecodeNullPkt() function in decode.c and commenting out the 
> ErrorMessage
> > call at the bottom of the function.  I'm going to put a 
> patch into the
> > program that will only allow this message to be sent when 
> the -v flag is
> > set.
> > 
> >    -Marty
> > 
> > Todd Ransom wrote:
> > >
> > > Can anyone tell me what this means?
> > >
> > > Jan 14 21:47:38 heimdall snort: NULL header length < 
> captured len! (0
> > bytes)
> > > Jan 14 21:48:08 heimdall last message repeated 22546 times
> > > Jan 14 21:50:09 heimdall last message repeated 86796 times
> > > Jan 14 22:00:10 heimdall last message repeated 422193 times
> > > Jan 14 22:10:12 heimdall last message repeated 425756 times
> > > Jan 14 22:20:12 heimdall last message repeated 418332 times
> > > Jan 14 22:30:13 heimdall last message repeated 421912 times
> > > Jan 14 22:40:14 heimdall last message repeated 421058 times
> > > Jan 14 22:50:15 heimdall last message repeated 420325 times
> > > Jan 14 23:00:17 heimdall last message repeated 419379 times
> > > Jan 14 23:10:18 heimdall last message repeated 425026 times
> > > Jan 14 23:20:18 heimdall last message repeated 422251 times
> > > Jan 14 23:30:19 heimdall last message repeated 424315 times
> > > Jan 14 23:40:20 heimdall last message repeated 409748 times
> > > Jan 14 23:50:21 heimdall last message repeated 408098 times
> > > Jan 15 00:00:22 heimdall last message repeated 409798 times
> > > Jan 15 00:10:23 heimdall last message repeated 421125 times
> > > [and on and on]
> > >
> > > TR
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > 
> > --
> > Martin Roesch
> > roesch at ...421...
> > http://www.snort.org
> > 
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> 
> --
> Martin Roesch
> roesch at ...421...
> http://www.snort.org
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> 




More information about the Snort-users mailing list