[Snort-users] Detecting ARP and "OTHER" protocols

Sheahan, Paul (PCLN-NW) Paul.Sheahan at ...2218...
Fri Sep 13 12:57:49 EDT 2002


I'm running Snort 1.8.7 on RHLinux7.0

I was looking at my Snort stats and notice that is says it detected ARP
packets and "OTHER" packets besides IP/TCP/UDP. Since Snort seems to know
about ARP packets, as a test, I created a test rule to alert whenever an ARP
packet is detected so I can get an idea what is going on on my network. I
started by creating a rule like this:

alert arp any any -> any any (msg:"ARP packets detected";)

Though I got a segmentation fault (core dump). Is there another way I can do
this or is Snort not capable of alerting on ARP packets? 

I was also looking to determine what "OTHER" protocols Snort claims it is
seeing out there. What would be the best way to do this? It would seem
logical to use an alert such as:

alert !ip any any -> any any (msg:"Non-IP packets detected";)

but this didn't work either.

I was hoping someone had some tips on the above.....thanks!

More information about the Snort-users mailing list