[Snort-users] How to write rules for non-TCP (LLC) packets?

Russ Combs rcombs at ...1935...
Wed Apr 24 08:00:43 EDT 2013


The attached patch will work with the latest version. From src/:

    patch -p0 < decode.diff

Then make and install.  Beware:

-- The pcap you sent is snapped at 1514 but contains many packets that were
1530 bytes total so those turn into IP4 discards.  You need to capture with
a bigger snaplen (like 0 for max).

-- If you mix ethernet with these packets, you need to tweak the code to
only strip the 12 bytes when appropriate.  You might check for fixed bytes
in that header and maybe for the ether type (0x0800) at the correct offset.

-- If you figure out the correct DLT, then a new packet decoder would be a
cleaner alternative.

On Tue, Apr 23, 2013 at 4:49 PM, Eric Fowler <eric.fowler at ...11827...> wrote:

> Hoping to hear someone expand on "patch Snort to do that ..." :-)
>
> Give me a few clues, I can figure out the rest.
>
> Eric
>
>
> On Tue, Apr 23, 2013 at 1:08 PM, Russ Combs <rcombs at ...1935...> wrote:
>
>> The datalink type in the pcap is ethernet but that doesn't match the
>> outer layer encapsulation.  You need some way to skip over those first 12
>> bytes.  It is fairly easy to patch Snort to do that, but having a different
>> DLT to key off of would be best.
>>
>> On Tue, Apr 23, 2013 at 1:49 PM, Eric Fowler <eric.fowler at ...11827...>wrote:
>>
>>> Tried that. It misses 'em.
>>>
>>> The LLC designation is wrong, I have seen other packets marked as IPX
>>> and containing valid data, which is totally impossible. So the headers are
>>> getting munged and wireshark is getting confused.
>>>
>>> Maybe I need a lower level tool.
>>>
>>> Eric
>>>
>>>
>>> On Tue, Apr 23, 2013 at 10:32 AM, Joel Esler <jesler at ...1935...>wrote:
>>>
>>>> On Apr 23, 2013, at 1:11 PM, Eric Fowler <eric.fowler at ...11827...> wrote:
>>>>
>>>> I have a connection between two devices with fixed, known IP addresses
>>>> bound to fixed, known MAC addresses, that are communicating on known IP
>>>> ports. The traffic going both ways is UDP, but when I snort the packets,
>>>> the adapter (or driver, not clear) is messing with the headers and
>>>> confusing snort, wireshark, and all other pcap applications I can find. In
>>>> particular,snort and wireshark are not able to detect these packets as
>>>> being UDP, and can't see IP addresses, even though they are embedded in the
>>>> packets (the interface adds 12 bytes of header upstream).
>>>>
>>>> I have tried configuring the interface *not* to do this but that has
>>>> ultimately been fruitless. Now I am trying to work with what I have.
>>>>
>>>> I have noticed that the packets I need are flagged in Wireshark as
>>>> protocol LLC. I am able to extract (in wireshark) a filter with the MAC
>>>> addresses, and the MAC addresses look fine in the display.
>>>>
>>>> I wish to find a way to trap all traffic coming to/from these mac
>>>> addresses that "looks like" LLC packets, and find and print the payload
>>>> data.
>>>>
>>>> I am using snort rules, but since snort only understands TCP, UDP, etc.
>>>> as protocols (not LLC, too low level), none of the alerts fire.
>>>>
>>>> So the question at long last is: how can I write a snort rule that will
>>>> alert on all packets (1) coming from a given mac address or (2) with
>>>> certain bytes (IP addresses) at certain offsets or (3) that look like LLC
>>>> packets?
>>>>
>>>>
>>>>
>>>> try "alert ip"
>>>>
>>>> --
>>>> *Joel Esler*
>>>> Senior Research Engineer, VRT
>>>> OpenSource Community Manager
>>>> Sourcefire
>>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Try New Relic Now & We'll Send You this Cool Shirt
>>> New Relic is the only SaaS-based application performance monitoring
>>> service
>>> that delivers powerful full stack analytics. Optimize and monitor your
>>> browser, app, & servers with just a few lines of code. Try New Relic
>>> and get this awesome Nerd Life shirt!
>>> http://p.sf.net/sfu/newrelic_d2d_apr
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130424/161bc73c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: decode.diff
Type: application/octet-stream
Size: 393 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130424/161bc73c/attachment.obj>


More information about the Snort-users mailing list