[Snort-users] [Newbie] pppoe

Marc Thompson Marc.Thompson at ...2101...
Thu Jun 7 10:50:53 EDT 2001


William,

I don't know how difficult it would be to add awareness of PPOE to
Snort.  Though, I do believe that each version adds more protocols...
maybe someone out there knows whether or not this is being considered.

Not being a C coder I can only speculate on how easy or hard it
would be to add support for PPOE to Snort.  I still think that the
way to go is to get a DSL modem that strips the PPP encapsulation
from the packet and sends regular Ethernet frames to your PC, but
maybe writing a PPPOE handler is a personal scratch for you to itch,
so by all means give it a whirl.

Performance... whizbang.  Snort (for me) hasn't had any trouble
sniffing high-speed networks.  The trick is to use only the rules
that you really need.  If you're not running the Chameleon server, for
example, there's really no need to use rules that check for
the Chameleon SMTP overflow attack.

Regards,
Marc Thompson

*******************************************
Marc Thompson
IT Site Manager
BOPS, Inc.
7800 Shoal Creek Blvd. Suite 200N
Austin, TX 78757
Direct: (512)407-1103
Fax:  (512)346-8407

This message is for the sole use of the intended recipient(s) and may
contain
confidential and privileged information.  Any unauthorized review, use,
disclosure, or distribution is prohibited.  If you are not the intended
recipient, 
please contact the sender and destroy all copies of the original message.


-----Original Message-----
From: William Pomian [mailto:willish at ...953...]
Sent: Thursday, June 07, 2001 8:14 AM
To: Marc Thompson
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] [Newbie] pppoe


On Thu, 7 Jun 2001 07:41:59 -0500 
Marc Thompson wrote:
> William,
> 
> It looks like it is working, just doesn't know how to
> decode the protocol:
> 
>   OTHER: 2009       (99.851%)
> 
> Are you using a DSL modem?  It may be possible to exchange
> your DSL modem for one that has a bona-fide Ethernet connection
> in it.

I haven't look the snort source code yet, but it may be possible
to implement pppoe desencapsulation like does ethereal ...

Do you think that is a hard task ?
What about snort performance ?

Thx Marc,

William.




More information about the Snort-users mailing list