[Snort-users] Linktype 113 not decoded

Martin Roesch roesch at ...1935...
Fri Mar 4 20:12:19 EST 2005


Hi Bill,

Here's a quick and dirty patch that you can apply to Barnyard that'll 
add SLL support to its decoder.  if you patch the barnyard code set 
with this and then try to reprocess your unified files it'll probably 
work.  Let me know what you find.  I don't have any SLL unified files 
to test with, so this compiles but hasn't been operationally tested...

Let me know how it goes.

      -Marty


-------------- next part --------------
A non-text attachment was scrubbed...
Name: by.patch
Type: application/octet-stream
Size: 9038 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050304/f3e34ed3/attachment.obj>
-------------- next part --------------



On Feb 28, 2005, at 9:47 AM, BALDWIN, BILL (SBCSI) wrote:

> Also, if I turn on
> Output alert_full: alert.full
> It appears that Snort is able to capture the header information:
>
> [**] WEB-ATTACKS id command attempt [**]
> 02/28-14:31:10.793388 203.218.33.49:1337 -> X.X.X.X:80
> TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:16759
> ***AP*** Seq: 0x78632E02  Ack: 0x8ED8D432  Win: 0x3DBD TcpLen: 20
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= 
> +
> =+
>
> Both Snort-2.3.0 and Barnyard-0.2.0 are running on the same system.
>
> -bill
>
>
> -----Original Message-----
> Sent: Friday, February 25, 2005 12:47 PM
> Subject: Re: [Snort-users] Linktype 113 not decoded
>
>
> Looks like you're using cooked sockets (Linux SLL) to acquire the data
> and Barnyard doesn't know how to process them.  You'd have to add a
> layer 2 decoder for linux SLL traffic before Barnyard will recognize
> those packets.
>
>        -Marty
>
> On Feb 24, 2005, at 10:12 AM, BALDWIN, BILL (SBCSI) wrote:
>
>> I'm running into an issue I hope someone can help with.
>>
>> Environment:
>> Snort-2.3.0
>> Barnyard-0.2.0
>> Libpcap-0.7.2-7.E3.2
>> RedHat ES 3 update 3 SMP (2.4.21-20.Elsmp)
>>
>> The system is running 2 GigE fibre cards that are spanning 2 routers
>> with no ip address and snort starts with -i any.  The problem is the
>> alerts have no ip/udp header information.  Looking at barnyards
>> dump.log
>> I'm getting "Linktype 113 not decoded.  Raw packet dumped" instead of
>> the packet header.  If I run tcpdump or ethereal on any of the
>> interfaces, I am able to get all header info.
>>
>> Any help would be greatly appreciated.
>>
>> Bill
>>
>>
>>
>> -------------------------------------------------------
>> SF email is sponsored by - The IT Product Guide
>> Read honest & candid reviews on hundreds of IT Products from real
>> users.
>> Discover which products truly live up to the hype. Start reading now.
>> http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>
> -- 
> Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
> Sourcefire - Discover.  Determine.  Defend.
> roesch at ...1935... - http://www.sourcefire.com
> Snort: Open Source Network IDS - http://www.snort.org
>
>
-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Discover.  Determine.  Defend.
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org



More information about the Snort-users mailing list