[Snort-users] PPPoE problem with Snort on OpenBSD 4.7.

Schrodinger schrodinger at ...14960...
Mon Aug 9 16:41:09 EDT 2010


On Mon, Aug 09, 2010 at 04:16:54PM -0400, Russ Combs wrote:
[...]

> 
>      From what I can tell the problem is that in src/snort.c there is no
>      support for 'DLT_PPP_ETHER'.
> 
>    I believe you nailed this one.  Not sure how back the problem goes, but
>    the fix will be in Snort 2.9.0.  If you are comfortable reading source,
>    hopefully you can download the latest tarball and build from there.  The
>    fix won't be in that tarball, but it should be in the next.

Cheers Russ.

I tried to patch snort.c myself but I either missed something or there
are additional complexities that I'm not aware of but the following
changes resulted in a core dump as soon as snort began inspecting 
packets. I thought that the issue might have been my firewall being 
under-performed for snort, which could also still be the case but it 
runs fine on the same box when sniffing traffic on the inside ethernet 
interface.

--- snort.c-dist        Sun Aug  8 23:38:37 2010
+++ snort.c     Sun Aug  8 23:51:55 2010
@@ -2926,6 +2926,17 @@
             grinder = DecodeI4LCiscoIPPkt;
             break;
 #endif
+#ifdef DLT_PPP_ETHER
+       case DLT_PPP_ETHER:
+               if (!ScReadMode())
+               {
+                       LogMessage("Decoding PPPoE on interface %s\n",
+                               PRINT_INTERFACE(pcap_interface));
+               }
+
+               grinder = DecodePPPoEPkt;
+               break;
+#endif
 
         default:
             /* oops, don't know how to handle this one */

Conor.

> 
>      Can you help with this ? If you need any more information please ask.
> 
>      Many thanks,
>      Conor.
>      --
>      +---------------------------------------------------------------+
>      It was a new day yesterday, but it's an old day now.
>      MSN: schro5 at ...125...
>      ICQ: 112562229
>      GPG: http://www.konundrum.org/schro.asc
>      ------------------------------------------------------------------------------
>      This SF.net email is sponsored by
> 
>      Make an app they can't live without
>      Enter the BlackBerry Developer Challenge
>      http://p.sf.net/sfu/RIM-dev2dev
>      _______________________________________________
>      Snort-users mailing list
>      Snort-users at lists.sourceforge.net
>      Go to this URL to change user options or unsubscribe:
>      https://lists.sourceforge.net/lists/listinfo/snort-users
>      Snort-users list archive:
>      http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
+---------------------------------------------------------------+
It was a new day yesterday, but it's an old day now.
MSN: schro5 at ...125...
ICQ: 112562229
GPG: http://www.konundrum.org/schro.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100809/f6088bbf/attachment.sig>


More information about the Snort-users mailing list