[Snort-users] How to write rules for non-TCP (LLC) packets?

Eric Fowler eric.fowler at ...11827...
Tue Apr 23 13:49:03 EDT 2013

Tried that. It misses 'em.

The LLC designation is wrong, I have seen other packets marked as IPX and
containing valid data, which is totally impossible. So the headers are
getting munged and wireshark is getting confused.

Maybe I need a lower level tool.


On Tue, Apr 23, 2013 at 10:32 AM, Joel Esler <jesler at ...1935...> wrote:

> On Apr 23, 2013, at 1:11 PM, Eric Fowler <eric.fowler at ...11827...> wrote:
> I have a connection between two devices with fixed, known IP addresses
> bound to fixed, known MAC addresses, that are communicating on known IP
> ports. The traffic going both ways is UDP, but when I snort the packets,
> the adapter (or driver, not clear) is messing with the headers and
> confusing snort, wireshark, and all other pcap applications I can find. In
> particular,snort and wireshark are not able to detect these packets as
> being UDP, and can't see IP addresses, even though they are embedded in the
> packets (the interface adds 12 bytes of header upstream).
> I have tried configuring the interface *not* to do this but that has
> ultimately been fruitless. Now I am trying to work with what I have.
> I have noticed that the packets I need are flagged in Wireshark as
> protocol LLC. I am able to extract (in wireshark) a filter with the MAC
> addresses, and the MAC addresses look fine in the display.
> I wish to find a way to trap all traffic coming to/from these mac
> addresses that "looks like" LLC packets, and find and print the payload
> data.
> I am using snort rules, but since snort only understands TCP, UDP, etc. as
> protocols (not LLC, too low level), none of the alerts fire.
> So the question at long last is: how can I write a snort rule that will
> alert on all packets (1) coming from a given mac address or (2) with
> certain bytes (IP addresses) at certain offsets or (3) that look like LLC
> packets?
> try "alert ip"
> --
> *Joel Esler*
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130423/3da7593c/attachment.html>

More information about the Snort-users mailing list