[Snort-users] Re: Snort and PPPoE / tun interface

UIA Security Team security at ...9542...
Tue Jun 24 09:05:14 EDT 2003


Morning folks,

I saw some list traffic about repetitive questions, and I hope I don't fall 
into that category.  I did about 3 hours worth of research into this issue, 
looking at the snort.org docs, readmes, and list archives, and didn't find 
a definitive answer or solution for this issue.

If anyone knows where I may have missed the answer, I'd really appreciate 
it.  I'm re-posting my question to the list as I haven't received -any- 
replies at all, not even a single snide RTFM ;)

Thanks folks,

--Liam

At 09:59 AM 6/23/2003 -0700, UIA Security Team wrote:
>All,
>
>We are running Snort 2.0 on FreeBSD and are having some trouble getting it 
>to work on PacBell DSL, which is PPPoE.
>
>
>1.  Can snort decode "raw" PPPoE yet?  I saw that several people have 
>asked about this type of connection, and Marty posted back in 2/2000 
>(http://marc.theaimsgroup.com/?l=snort-users&m=98048822028060&w=2) that he 
>would work on a decoder for this.  If so, we could use it on the external 
>interface (in our case, fxp0):
>
>  /usr/local/bin/snort -i fxp0 -deN -c /etc/ids/snort.conf -l /var/log/snort
>
>[...]
>
>Snort analyzed 217 out of 217 packets, dropping 0(0.000%) packets
>
>Breakdown by protocol:                Action Stats:
>     TCP: 28         (12.903%)         ALERTS: 0
>     UDP: 26         (11.982%)         LOGGED: 0
>    ICMP: 0          (0.000%)          PASSED: 0
>     ARP: 0          (0.000%)
>   EAPOL: 0          (0.000%)
>    IPv6: 0          (0.000%)
>     IPX: 0          (0.000%)
>   OTHER: 158        (72.811%)
>DISCARD: 0          (0.000%)
>
>
>2.  How come Snort won't decode on a tun interface (tun/tap driver)?
>
>/usr/local/bin/snort -i tun99 -deN -c /etc/ids/snort.conf -l /var/log/snort
>
>Initializing Network Interface tun99
>
>         --== Initializing Snort ==--
>Initializing Output Plugins!
>Decoding LoopBack on interface tun99
>Data link layer header parsing for this network  type isn't implemented yet
>
>[...]
>
>Snort analyzed 493 out of 493 packets, dropping 0(0.000%) packets
>
>Breakdown by protocol:                Action Stats:
>     TCP: 90         (18.256%)         ALERTS: 0
>     UDP: 78         (15.822%)         LOGGED: 0
>    ICMP: 12         (2.434%)          PASSED: 0
>     ARP: 0          (0.000%)
>   EAPOL: 0          (0.000%)
>    IPv6: 0          (0.000%)
>     IPX: 0          (0.000%)
>   OTHER: 310        (62.880%)
>DISCARD: 0          (0.000%)
>
>
>We sent it some events that should have triggered alerts.
>
>Any thoughts on this, anyone?  Help would be much appreciated.  Surely 
>there is someone out there doing this already?
>
>Thanks,
>
>--Liam





More information about the Snort-users mailing list