[Snort-users] Re: Snort and PPPoE / tun interface

Rich Adamson radamson at ...2127...
Wed Jun 25 07:16:49 EDT 2003


Liam,

I don't use FreeBSD nor am I a PPPoE user, therefore my comments might
be way off base.

> >Snort analyzed 217 out of 217 packets, dropping 0(0.000%) packets
> >
> >Breakdown by protocol:                Action Stats:
> >     TCP: 28         (12.903%)         ALERTS: 0
> >     UDP: 26         (11.982%)         LOGGED: 0
> >    ICMP: 0          (0.000%)          PASSED: 0
> >     ARP: 0          (0.000%)
> >   EAPOL: 0          (0.000%)
> >    IPv6: 0          (0.000%)
> >     IPX: 0          (0.000%)
> >   OTHER: 158        (72.811%)
> >DISCARD: 0          (0.000%)

The above implies to me that snort has in fact seen 28 tcp and 26 udp
packets. Not sure what the "other" protocol represents, but quite likely
to be Netbios or some other non-IP oriented packets.

> >2.  How come Snort won't decode on a tun interface (tun/tap driver)?

Pure guess is the Pcap driver used by snort is before the tun/tap drivers. 

> >Snort analyzed 493 out of 493 packets, dropping 0(0.000%) packets
> >
> >Breakdown by protocol:                Action Stats:
> >     TCP: 90         (18.256%)         ALERTS: 0
> >     UDP: 78         (15.822%)         LOGGED: 0
> >    ICMP: 12         (2.434%)          PASSED: 0
> >     ARP: 0          (0.000%)
> >   EAPOL: 0          (0.000%)
> >    IPv6: 0          (0.000%)
> >     IPX: 0          (0.000%)
> >   OTHER: 310        (62.880%)
> >DISCARD: 0          (0.000%)
> >
> >
> >We sent it some events that should have triggered alerts.
> >
> >Any thoughts on this, anyone?  Help would be much appreciated.  Surely 
> >there is someone out there doing this already?

Run snort in packet capture mode and look at the packets displayed
with -ved. If you recognize the packets as valid IP stuff, then you 
may have an issue with how you defined HOME_NET in the snort.conf file.
If the packets are truly encapsulated, then pcap is probably sniffing
packets before they get to the PPPoE drivers.

You're probably not getting anyone to respond to your post because
a) there isn't enough information in your post to even take a wild
guess, b) few (if any) snort users likely use PPPoE (and more then
likely, few have any technical understanding as to detailed packet
flows involved), and c) the combination of FreeBSD "and" PPPoE users
is very likely to be a small or non-existent group that probably do
not have the programming skills necessary to write/support the code
to do this.

Purely a guess on my part...

Rich







More information about the Snort-users mailing list