[Snort-users] Snort 1.8.6 and PPPoE links

C.J.O. cjo at ...3945...
Thu Jun 20 16:04:06 EDT 2002


Re all,

I'm running snort 1.8.6 in daemon mode and logging in binary format, and 
have been experiencing some "issues".

This particular sensor is snorting via a NIC running stealth, which has 
been positioned directly behind a DSL modem with PPPoE 
connectivity.  Therefore the snort sensor is "seeing" raw PPPoE.

{switch}<-->{router doing NAT} <-snort sensor->{DSL modem} <-->{Internet}


I bring up snort with:

/usr/sbin/snort -A full -b -l /var/log/snort/ -d -e -D -i eth1 -c 
/etc/snort/snort.conf

If I choose normal, non-binary/tcpdump format logging, I don't run into any 
problems.
The "issue" I'm experiencing is that each logged packet is logged as 
"Ethernet II" format according to Ethereal, and thus lacks layer 3 and 
layer 4 info.  This layer 3/4 data is present in the logged entry in the 
"alert" file, but not in the binary packet logs.

Here is a typical packet:

17:24:22.804107 0:78:a6:60:40:0 0:7a:0:21:45:0 7d06 142:
0x0000   9155 40e7 1031 40e7 33cb 05a3 0050 63e4        .U at ...6152...@.3....Pc.
0x0010   e68d 7475 e84a 5018 4248 e642 0000 4745        ..tu.JP.BH.B..GE
0x0020   5420 2f63 2f77 696e 6e74 2f73 7973 7465        T./c/winnt/syste
0x0030   6d33 322f 636d 642e 6578 653f 2f63 2b64        m32/cmd.exe?/c+d
0x0040   6972 2048 5454 502f 312e 300d 0a48 6f73        ir.HTTP/1.0..Hos
0x0050   743a 2077 7777 0d0a 436f 6e6e 6e65 6374        t:.www..Connnect
0x0060   696f 6e3a 2063 6c6f 7365 0d0a 0d0a 3a20        ion:.close....:.
0x0070   4170 6163 6865 0d0a 5757 572d 4175 7468        Apache..WWW-Auth

In addition, my snort binary logs contain numerous "Malformed Packets".

I'm aware that libpcap has problems with PPPoE (lack of PPPoE code).  Could 
this be the cause here as well?  Does snort use libpcap for it's binary 
logging or libnet?

I should mention that there have seen some properly binary logged packets, 
complete with layer 2, 3 & 4 data, however 95% of the time it's like above.

TIA to all.  Cheers,

Christopher J. Oliver





More information about the Snort-users mailing list