OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Marc Thompson (Marc.Thompsonbops.com)
Date: Thu Jun 07 2001 - 09:50:53 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    William,

    I don't know how difficult it would be to add awareness of PPOE to
    Snort. Though, I do believe that each version adds more protocols...
    maybe someone out there knows whether or not this is being considered.

    Not being a C coder I can only speculate on how easy or hard it
    would be to add support for PPOE to Snort. I still think that the
    way to go is to get a DSL modem that strips the PPP encapsulation
    from the packet and sends regular Ethernet frames to your PC, but
    maybe writing a PPPOE handler is a personal scratch for you to itch,
    so by all means give it a whirl.

    Performance... whizbang. Snort (for me) hasn't had any trouble
    sniffing high-speed networks. The trick is to use only the rules
    that you really need. If you're not running the Chameleon server, for
    example, there's really no need to use rules that check for
    the Chameleon SMTP overflow attack.

    Regards,
    Marc Thompson

    *******************************************
    Marc Thompson
    IT Site Manager
    BOPS, Inc.
    7800 Shoal Creek Blvd. Suite 200N
    Austin, TX 78757
    Direct: (512)407-1103
    Fax: (512)346-8407

    This message is for the sole use of the intended recipient(s) and may
    contain
    confidential and privileged information. Any unauthorized review, use,
    disclosure, or distribution is prohibited. If you are not the intended
    recipient,
    please contact the sender and destroy all copies of the original message.

    -----Original Message-----
    From: William Pomian [mailto:willishfree.fr]
    Sent: Thursday, June 07, 2001 8:14 AM
    To: Marc Thompson
    Cc: snort-userslists.sourceforge.net
    Subject: Re: [Snort-users] [Newbie] pppoe

    On Thu, 7 Jun 2001 07:41:59 -0500
    Marc Thompson wrote:
    > William,
    >
    > It looks like it is working, just doesn't know how to
    > decode the protocol:
    >
    > OTHER: 2009 (99.851%)
    >
    > Are you using a DSL modem? It may be possible to exchange
    > your DSL modem for one that has a bona-fide Ethernet connection
    > in it.

    I haven't look the snort source code yet, but it may be possible
    to implement pppoe desencapsulation like does ethereal ...

    Do you think that is a hard task ?
    What about snort performance ?

    Thx Marc,

    William.

    _______________________________________________
    Snort-users mailing list
    Snort-userslists.sourceforge.net
    Go to this URL to change user options or unsubscribe:
    http://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users