Re: [Sguil-users] PPPoE de-encapsulation?
Status: Beta
Brought to you by:
bamm
From: Brett C. <br...@wr...> - 2009-11-20 02:02:48
|
Am I reading this post by Matt Thompson correctly? http://osdir.com/ml/security.ids.snort.devel/2004-02/msg00090.html This seems to be a patch to barnyard to allow it to decode PPPoE? -- ******************************************************************** Brett Charbeneau, GSEC Gold, GCIH Gold Network Administrator Williamsburg Regional Library 7770 Croaker Road Williamsburg, VA 23188-7064 (757)259-4044 www.wrl.org (757)259-4079 (fax) br...@wr... ******************************************************************** On Sun, 6 Jul 2008, Bamm Visscher wrote: BV> It's actually a barnyard issue. It doesn't have a way to decode PPPoE. Ah, ha. That'll do it. I see there's a plan afoot to bring this capability to barnyard so, like everything else assocated with the sguil project, I know I'll be amazed when it comes together. Thanks Bamm! -- ******************************************************************** Brett Charbeneau, GSEC Gold, GCIH Gold Network Administrator Williamsburg Regional Library 7770 Croaker Road Williamsburg, VA 23188-7064 (757)259-4044 www.wrl.org (757)259-4079 (fax) br...@wr... ******************************************************************** BV> On 7/5/08, Brett Charbeneau <br...@wr...> wrote: BV> > Kind Folks, BV> > BV> > Please let me know if this is more of a snort question than one BV> > for sguil - and apologies in advance if it is. BV> > I've got a sguil 0.7.0 setup running and I'm wondering about BV> > using it to monitor what is essentially a WAN connection, which I've BV> > never done before. BV> > I run a few websites off of an ADSL circuit at my home and the BV> > firewall is also the Apache server. I thought it would be interesting BV> > to put my network tap between the DSL modem and the interface on the BV> > firewall/webserver - running PPPoE - to capture ALL the traffic coming BV> > in an going out of the network. This is opposed to putting the tap BV> > between the LAN-facing network and the firewall which only captures BV> > traffic between whatever clients are surfing the net. BV> > I'm thinking that the encapsulation in PPPoE may be keeping snort BV> > from seeing the traffic - here's some tcpdump output: BV> > BV> > http://www.pastebin.ca/1063008 BV> > BV> > I'm not able to get any rules to fire with this setup when it BV> > worked just fine when the tap was in the other position. BV> > Is there a way I can get snort and PADS to work with this setup? BV> > BV> > BV> > -- BV> > ******************************************************************** BV> > Brett Charbeneau BV> > Network Administrator BV> > Williamsburg Regional Library BV> > 7770 Croaker Road BV> > Williamsburg, VA 23188-7064 BV> > (757)259-4044 www.wrl.org BV> > (757)259-4079 (fax) br...@wr... BV> > ******************************************************************** |