[Snort-users] Re:Snort & Cisco Catalyst ISL

limbo limbo at ...4177...
Thu May 9 19:41:02 EDT 2002


Yep. I have fixed this problem in snort 1.8.4 :)
U know, the ethernet frame is encapsulated with a 26 bytes header and a 4 bytes tail(CRC checksum) according as CISCO-ISL. SO, we only need to modify DecodeEthPkt() in decode.c :)
 

decode.c
/* $Id: decode.c,v 1.48.2.7 2002/03/16 06:31:16 roesch Exp $ */ 
......
void DecodeEthPkt(Packet * p, struct pcap_pkthdr * pkthdr, u_int8_t * pkt)
{
   ......
    /* lay the ethernet structure over the packet data */
    p->eh = (EtherHdr *) pkt;

#ifdef DEBUG
    ErrorMessage("%X   %X\n", *p->eh->ether_src, *p->eh->ether_dst);
#endif

/******************************************************/
/* check to see if we've got an CISCO ISL packet. */
/* Added by limbo & flag. 2002/05/08 */

     if ( (*(pkt+14) == 0xaa) && (*(pkt+15) == 0xaa) && (*(pkt+16) == 0x3) ) {
     
#ifdef DEBUG
       PrintNetData(stdout, p->pkt, cap_len);
       ClearDumpBuf();
#endif
       /* 40 = 26 + 14;  44 = 40 + 4  */
       DecodeIP(p->pkt + 40, cap_len - 44, p);
       return;
    }
/*****************************************************/    
    /* grab out the network type */
    switch(ntohs(p->eh->ether_type))
    {
       ........


good luck

limbo

----------------------------------------------------
From: Dave Cundiff (dave.cundiff at ...5198...)
Date: Mon Mar 04 2002 - 07:50:08 CST 

I'm looking at setting up snort for my network here but have a quick 
question that I can't seem to answer from any of the documentation. I'm 
going to be using a hardware sniffer to copy the ISL trunk going between my 
main switch and my router to a snort box. This should allow snort to sniff 
all traffic on my network. However since it's an ISL trunk all the packets 
will have an additional header on them containing what vlan the packet is 
for. 


So my question is can or is there some way that Snort can ignore that first 
header? Or will it just not be able to make any sense out of the packet? 


Dave Cundiff 
Systems Administrator 
World Wide Net, Inc. 
http://www.wwnet.net 


-- 
_______________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup






More information about the Snort-users mailing list