[Snort-users] How to write rules for non-TCP (LLC) packets?

Eric Fowler eric.fowler at ...11827...
Tue Apr 23 16:49:18 EDT 2013

Hoping to hear someone expand on "patch Snort to do that ..." :-)

Give me a few clues, I can figure out the rest.


On Tue, Apr 23, 2013 at 1:08 PM, Russ Combs <rcombs at ...1935...> wrote:

> The datalink type in the pcap is ethernet but that doesn't match the outer
> layer encapsulation.  You need some way to skip over those first 12 bytes.
>  It is fairly easy to patch Snort to do that, but having a different DLT to
> key off of would be best.
> On Tue, Apr 23, 2013 at 1:49 PM, Eric Fowler <eric.fowler at ...11827...>wrote:
>> Tried that. It misses 'em.
>> The LLC designation is wrong, I have seen other packets marked as IPX and
>> containing valid data, which is totally impossible. So the headers are
>> getting munged and wireshark is getting confused.
>> Maybe I need a lower level tool.
>> Eric
>> On Tue, Apr 23, 2013 at 10:32 AM, Joel Esler <jesler at ...1935...>wrote:
>>> On Apr 23, 2013, at 1:11 PM, Eric Fowler <eric.fowler at ...11827...> wrote:
>>> I have a connection between two devices with fixed, known IP addresses
>>> bound to fixed, known MAC addresses, that are communicating on known IP
>>> ports. The traffic going both ways is UDP, but when I snort the packets,
>>> the adapter (or driver, not clear) is messing with the headers and
>>> confusing snort, wireshark, and all other pcap applications I can find. In
>>> particular,snort and wireshark are not able to detect these packets as
>>> being UDP, and can't see IP addresses, even though they are embedded in the
>>> packets (the interface adds 12 bytes of header upstream).
>>> I have tried configuring the interface *not* to do this but that has
>>> ultimately been fruitless. Now I am trying to work with what I have.
>>> I have noticed that the packets I need are flagged in Wireshark as
>>> protocol LLC. I am able to extract (in wireshark) a filter with the MAC
>>> addresses, and the MAC addresses look fine in the display.
>>> I wish to find a way to trap all traffic coming to/from these mac
>>> addresses that "looks like" LLC packets, and find and print the payload
>>> data.
>>> I am using snort rules, but since snort only understands TCP, UDP, etc.
>>> as protocols (not LLC, too low level), none of the alerts fire.
>>> So the question at long last is: how can I write a snort rule that will
>>> alert on all packets (1) coming from a given mac address or (2) with
>>> certain bytes (IP addresses) at certain offsets or (3) that look like LLC
>>> packets?
>>> try "alert ip"
>>> --
>>> *Joel Esler*
>>> Senior Research Engineer, VRT
>>> OpenSource Community Manager
>>> Sourcefire
>> ------------------------------------------------------------------------------
>> Try New Relic Now & We'll Send You this Cool Shirt
>> New Relic is the only SaaS-based application performance monitoring
>> service
>> that delivers powerful full stack analytics. Optimize and monitor your
>> browser, app, & servers with just a few lines of code. Try New Relic
>> and get this awesome Nerd Life shirt!
>> http://p.sf.net/sfu/newrelic_d2d_apr
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130423/e28ae876/attachment.html>

More information about the Snort-users mailing list