[Snort-users] Snort and PPPoE / tun interface

UIA Security Team security at ...9542...
Mon Jun 23 10:00:25 EDT 2003


All,

We are running Snort 2.0 on FreeBSD and are having some trouble getting it 
to work on PacBell DSL, which is PPPoE.


1.  Can snort decode "raw" PPPoE yet?  I saw that several people have asked 
about this type of connection, and Marty posted back in 2/2000 
(http://marc.theaimsgroup.com/?l=snort-users&m=98048822028060&w=2) that he 
would work on a decoder for this.  If so, we could use it on the external 
interface (in our case, fxp0):

  /usr/local/bin/snort -i fxp0 -deN -c /etc/ids/snort.conf -l /var/log/snort

[...]

Snort analyzed 217 out of 217 packets, dropping 0(0.000%) packets

Breakdown by protocol:                Action Stats:
     TCP: 28         (12.903%)         ALERTS: 0
     UDP: 26         (11.982%)         LOGGED: 0
    ICMP: 0          (0.000%)          PASSED: 0
     ARP: 0          (0.000%)
   EAPOL: 0          (0.000%)
    IPv6: 0          (0.000%)
     IPX: 0          (0.000%)
   OTHER: 158        (72.811%)
DISCARD: 0          (0.000%)


2.  How come Snort won't decode on a tun interface (tun/tap driver)?

/usr/local/bin/snort -i tun99 -deN -c /etc/ids/snort.conf -l /var/log/snort

Initializing Network Interface tun99

         --== Initializing Snort ==--
Initializing Output Plugins!
Decoding LoopBack on interface tun99
Data link layer header parsing for this network  type isn't implemented yet

[...]

Snort analyzed 493 out of 493 packets, dropping 0(0.000%) packets

Breakdown by protocol:                Action Stats:
     TCP: 90         (18.256%)         ALERTS: 0
     UDP: 78         (15.822%)         LOGGED: 0
    ICMP: 12         (2.434%)          PASSED: 0
     ARP: 0          (0.000%)
   EAPOL: 0          (0.000%)
    IPv6: 0          (0.000%)
     IPX: 0          (0.000%)
   OTHER: 310        (62.880%)
DISCARD: 0          (0.000%)


We sent it some events that should have triggered alerts.

Any thoughts on this, anyone?  Help would be much appreciated.  Surely 
there is someone out there doing this already?

Thanks,

--Liam





More information about the Snort-users mailing list