[Snort-users] Linktype 113 not decoded
BALDWIN, BILL (SBCSI)
wb7192 at ...5059...
Mon Feb 28 06:49:33 EST 2005
Also, if I turn on
Output alert_full: alert.full
It appears that Snort is able to capture the header information:
[**] WEB-ATTACKS id command attempt [**]
02/28-14:31:10.793388 184.108.40.206:1337 -> X.X.X.X:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:16759
***AP*** Seq: 0x78632E02 Ack: 0x8ED8D432 Win: 0x3DBD TcpLen: 20
Both Snort-2.3.0 and Barnyard-0.2.0 are running on the same system.
Sent: Friday, February 25, 2005 12:47 PM
Subject: Re: [Snort-users] Linktype 113 not decoded
Looks like you're using cooked sockets (Linux SLL) to acquire the data
and Barnyard doesn't know how to process them. You'd have to add a
layer 2 decoder for linux SLL traffic before Barnyard will recognize
On Feb 24, 2005, at 10:12 AM, BALDWIN, BILL (SBCSI) wrote:
> I'm running into an issue I hope someone can help with.
> RedHat ES 3 update 3 SMP (2.4.21-20.Elsmp)
> The system is running 2 GigE fibre cards that are spanning 2 routers
> with no ip address and snort starts with -i any. The problem is the
> alerts have no ip/udp header information. Looking at barnyards
> I'm getting "Linktype 113 not decoded. Raw packet dumped" instead of
> the packet header. If I run tcpdump or ethereal on any of the
> interfaces, I am able to get all header info.
> Any help would be greatly appreciated.
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real
> Discover which products truly live up to the hype. Start reading now.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Discover. Determine. Defend.
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
More information about the Snort-users