[Snort-users] How to write rules for non-TCP (LLC) packets?

Eric Fowler eric.fowler at ...11827...
Tue Apr 23 13:11:16 EDT 2013

I have a connection between two devices with fixed, known IP addresses
bound to fixed, known MAC addresses, that are communicating on known IP
ports. The traffic going both ways is UDP, but when I snort the packets,
the adapter (or driver, not clear) is messing with the headers and
confusing snort, wireshark, and all other pcap applications I can find. In
particular,snort and wireshark are not able to detect these packets as
being UDP, and can't see IP addresses, even though they are embedded in the
packets (the interface adds 12 bytes of header upstream).

I have tried configuring the interface *not* to do this but that has
ultimately been fruitless. Now I am trying to work with what I have.

I have noticed that the packets I need are flagged in Wireshark as protocol
LLC. I am able to extract (in wireshark) a filter with the MAC addresses,
and the MAC addresses look fine in the display.

I wish to find a way to trap all traffic coming to/from these mac addresses
that "looks like" LLC packets, and find and print the payload data.

I am using snort rules, but since snort only understands TCP, UDP, etc. as
protocols (not LLC, too low level), none of the alerts fire.

So the question at long last is: how can I write a snort rule that will
alert on all packets (1) coming from a given mac address or (2) with
certain bytes (IP addresses) at certain offsets or (3) that look like LLC


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130423/6a2a50bc/attachment.html>

More information about the Snort-users mailing list