|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: limbo (limbo
usa.com)Date: Thu May 09 2002 - 21:40:06 CDT
Yep. I have fixed this problem in snort 1.8.4 :)
U know, the ethernet frame is encapsulated with a 26 bytes header and a 4 bytes tail(CRC checksum) according as CISCO-ISL. SO, we only need to modify DecodeEthPkt() in decode.c :)
decode.c
/* $Id: decode.c,v 1.48.2.7 2002/03/16 06:31:16 roesch Exp $ */
......
void DecodeEthPkt(Packet * p, struct pcap_pkthdr * pkthdr, u_int8_t * pkt)
{
......
/* lay the ethernet structure over the packet data */
p->eh = (EtherHdr *) pkt;
#ifdef DEBUG
ErrorMessage("%X %X\n", *p->eh->ether_src, *p->eh->ether_dst);
#endif
/******************************************************/
/* check to see if we've got an CISCO ISL packet. */
/* Added by limbo & flag. 2002/05/08 */
if ( (*(pkt+14) == 0xaa) && (*(pkt+15) == 0xaa) && (*(pkt+16) == 0x3) ) {
#ifdef DEBUG
PrintNetData(stdout, p->pkt, cap_len);
ClearDumpBuf();
#endif
/* 40 = 26 + 14; 44 = 40 + 4 */
DecodeIP(p->pkt + 40, cap_len - 44, p);
return;
}
/*****************************************************/
/* grab out the network type */
switch(ntohs(p->eh->ether_type))
{
........
good luck
limbo
----------------------------------------------------
From: Dave Cundiff (dave.cundiffexchange1.cybx.net)
Date: Mon Mar 04 2002 - 07:50:08 CST
I'm looking at setting up snort for my network here but have a quick
question that I can't seem to answer from any of the documentation. I'm
going to be using a hardware sniffer to copy the ISL trunk going between my
main switch and my router to a snort box. This should allow snort to sniff
all traffic on my network. However since it's an ISL trunk all the packets
will have an additional header on them containing what vlan the packet is
for.
So my question is can or is there some way that Snort can ignore that first
header? Or will it just not be able to make any sense out of the packet?
Dave Cundiff
Systems Administrator
World Wide Net, Inc.
http://www.wwnet.net
-- _______________________________________________ Sign-up for your own FREE Personalized E-mail at Mail.com http://www.mail.com/?sr=signup_______________________________________________________________
Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: bandwidth
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]