OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: [snort] 1.6-beta11 available [CVS & WWW]
From: Martin Roesch (roeschhiverworld.com)
Date: Tue Mar 07 2000 - 14:46:58 CST

CyberPsychotic wrote:
>
> ~ :What's new in 1.6-beta11? I'm working a little on this mainframe
> ~ :communication problem right now (remotely) but plan to be on-site tomorrow.
> ~ :I could give it a try and flip back and forth between 1.5.2 and 1.6-beta11
> ~ :if there are problems.
> ~ :
> ~ :One thing I noticed in 1.5.2 is that the -e option doesn't work on a token
> ~ :ring network (it dumps core)...and maybe it's not supposed to. One place,
> ~ :that is called the 'ethernet header' option.
>
> it's not supposed to. There are no ethernet frames in TokenRing. There are
> tokenring frames. ;-) PrintEthHeader in log.c looks at eh (ethernet
> header) value which is only set when Ethernet datalink is being processed.
> We actually could fix it in 2 ways:
>
> 1. We could give a warning that -e could be used with ethernet datalink
> types and ignore it.
> 2. We could add extra sanity check to PrintEthHeader to ignore the call,
> if eh is NULL
> 3. I could rewrite abit DecodeTRPacket to form some sort of ethernet
> header. There are actually also srcaddr and dstaddr mac addresses in
> tokenring header which I could just pull into eh structure.
>
> Let me know which one you find more apropriate :)

We could write a TR header print routine as well and select the proper
layer 2 output printer based on the DLT. Either that or disable -e for
non-ethernet types.... 

-- 
Martin Roesch                      <roeschhiverworld.com>
Director of Forensic Systems     http://www.hiverworld.com
Hiverworld, Inc.               Enterprise Network Security
Network Forensics, Intrusion Detection and Risk Assessment