Hosting Provided By

[Snort-devel] PPPoE decoding

From: Matt Thompson <mthompson(at)ffd4.com>
Date: Fri Feb 27 2004 - 21:55:26 EST

There is a problem when decoding PPPoE packets since the Packet->pkt pointer is not reset to the beginning of the ethernet header, it is being set to the PPP headers. I've included a patch.

This causes barnyard to ignore all of the alerts when it tries to decode.

I'm using a passive tap on a DSL connection, connected to two ethernet ports that act as a bridge on the sensor. Snort is configured to listen from the bridge to see a reassembly of the split streams out of a tap. Would be nice to see Snort be able to listen off multiple interfaces for tap use to avoid the software bridge.

Matt Thompson

decode.c Mon Oct 20 11:03:17 2003 +++ decode-fix.c Fri Feb 27 21:38:36 2004 @@ -101,8 +101,9 @@ { case ETHERNET_TYPE_PPPoE_DISC: case ETHERNET_TYPE_PPPoE_SESS: DecodePPPoEPkt(p, pkthdr, pkt); + p->pkt = pkt; return;

         case ETHERNET_TYPE_IP:
             DEBUG_WRAP(

---
[This E-mail scanned for viruses]



-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Received on Fri Feb 27 21:53:28 2004

This message: [ Message body ]
Next message: jayesh: "[Snort-devel] restarting snort as a daemon process"
Previous message: Kumar, Manoj: "RE: [Snort-devel] SNORT has memory leak on Linux Red hat 9"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:10 EDT