Hosting Provided By

Re: [Snort-devel] Protocol plugin

From: Andrew R. Baker <andrewb(at)snort.org>
Date: Mon Sep 01 2003 - 22:40:44 EDT

Jeremy F Stephens wrote:
> Hi,
>
> On my network, I set up a snort daemon to track traffic (among other

Are you also seeing 802.3 Ethernet headers? SNAP frames indicate that you are seeing some IPX traffic. This can be caused simply by running with network switches that have spanning tree enabled. As you have already found out, Snort does not support decoding this traffic and classifies it as "other". It would be possible to extend the Snort decoder to process these other protocol.

As for Snort only handling 4 different kinds of protocols, that is a bit of a mis-statement. Snort only handles writing rules for IP packets (with specific capabilities for matching against TCP, UDP, and ICMP header information). It is capable of decoding many lower layer protocols that IP is commonly found on top of.

-A

This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Mon Sep 1 22:50:30 2003

This message: [ Message body ]
Next message: Jeff Nathan: "Re: [Snort-users] Re: [Snort-devel] IDS vs IPS"
In reply to Jeremy F Stephens: "[Snort-devel] Protocol plugin"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:09 EDT