Logging my daily changing WAN-address
-
You could create a patch that adds that line to rc.newwanip and set it to auto-apply.
-
@stephenw10 said in [somewhat solved] Easy solution for logging my daily changing WAN-address:
You could create a patch that adds that line to rc.newwanip and set it to auto-apply.
Yes that would be an option!
But now I found a new "problem": Snort cannot handle the pppoe0 interface (with if_pppoe) and exits with this error:
"FATAL ERROR: Cannot decode data link type 51"
so there is more work to do
I switched back to "mpd" because i need Snort working ... 
-
Hmm, using in-line mode?
-
@stephenw10 said in [somewhat solved] Easy solution for logging my daily changing WAN-address:
Hmm, using in-line mode?
No, legacy mode ...
-
OK digging....
-
@stephenw10 said in [somewhat solved] Easy solution for logging my daily changing WAN-address:
OK digging....
I have post a question also in IDS/IPS adressed to Bill Meeks
-
Yup replicated it here. Digging deeper...
-
@stephenw10 said in Logging my daily changing WAN-address:
Yup replicated it here. Digging deeper...
The problem is within the Snort binary package. The new
if_pppoedriver apparently returns a datalink type of DLT_PPP_ETHER (which is integer code '51'). But the Snort C source code is only looking for DLT_PPP (which is integer code '9'). Because the switch...case logic does not match on DLT_PPP_ETHER, thedefaultstatement at line 3257 prevails and Snort executes a fatal error and terminates.The code in question is within snort.c beginning at line 3118. Here is the module source code:
/* * Function: SetPktProcessor() * * Purpose: Set root decoder based on datalink */ // TBD add GetDecoder(dlt) to decode module and hide all // protocol decoder functions. static int SetPktProcessor(void) { const char* slink = NULL; const char* extra = NULL; int dlt = DAQ_GetBaseProtocol(); switch ( dlt ) { case DLT_EN10MB: slink = "Ethernet"; grinder = DecodeEthPkt; break; #ifdef DLT_LOOP case DLT_LOOP: #endif case DLT_NULL: /* loopback and stuff.. you wouldn't perform intrusion detection * on it, but it's ok for testing. */ slink = "LoopBack"; extra = "Data link layer header parsing for this network type " "isn't implemented yet"; grinder = DecodeNullPkt; break; case DLT_RAW: case DLT_IPV4: slink = "Raw IP4"; extra = "There's no second layer header available for this datalink"; grinder = DecodeRawPkt; break; case DLT_IPV6: slink = "Raw IP6"; extra = "There's no second layer header available for this datalink"; grinder = DecodeRawPkt6; break; #ifdef DLT_I4L_IP case DLT_I4L_IP: slink = "I4L-ip"; grinder = DecodeEthPkt; break; #endif #ifndef NO_NON_ETHER_DECODER #ifdef DLT_I4L_CISCOHDLC case DLT_I4L_CISCOHDLC: slink = "I4L-cisco-h"; grinder = DecodeI4LCiscoIPPkt; break; #endif case DLT_PPP: slink = "PPP"; extra = "Second layer header parsing for this datalink " "isn't implemented yet"; grinder = DecodePppPkt; break; #ifdef DLT_I4L_RAWIP case DLT_I4L_RAWIP: // you need the I4L modified version of libpcap to get this stuff // working slink = "I4L-rawip"; grinder = DecodeI4LRawIPPkt; break; #endif #ifdef DLT_IEEE802_11 case DLT_IEEE802_11: slink = "IEEE 802.11"; grinder = DecodeIEEE80211Pkt; break; #endif #ifdef DLT_ENC case DLT_ENC: slink = "Encapsulated data"; grinder = DecodeEncPkt; break; #else case 13: #endif /* DLT_ENC */ case DLT_IEEE802: slink = "Token Ring"; grinder = DecodeTRPkt; break; case DLT_FDDI: slink = "FDDI"; grinder = DecodeFDDIPkt; break; #ifdef DLT_CHDLC case DLT_CHDLC: slink = "Cisco HDLC"; grinder = DecodeChdlcPkt; break; #endif case DLT_SLIP: slink = "SLIP"; extra = "Second layer header parsing for this datalink " "isn't implemented yet\n"; grinder = DecodeSlipPkt; break; #ifdef DLT_PPP_SERIAL case DLT_PPP_SERIAL: /* PPP with full HDLC header*/ slink = "PPP Serial"; extra = "Second layer header parsing for this datalink " " isn't implemented yet"; grinder = DecodePppSerialPkt; break; #endif #ifdef DLT_LINUX_SLL case DLT_LINUX_SLL: slink = "Linux SLL"; grinder = DecodeLinuxSLLPkt; break; #endif #ifdef DLT_PFLOG case DLT_PFLOG: slink = "OpenBSD PF log"; grinder = DecodePflog; break; #endif #ifdef DLT_OLDPFLOG case DLT_OLDPFLOG: slink = "Old OpenBSD PF log"; grinder = DecodeOldPflog; break; #endif #endif // NO_NON_ETHER_DECODER default: /* oops, don't know how to handle this one */ FatalError("Cannot decode data link type %d\n", dlt); break; } if ( !ScReadMode() || ScPcapShow() ) { LogMessage("Decoding %s\n", slink); } if (extra && ScOutputDataLink()) { LogMessage("%s\n", extra); snort_conf->output_flags &= ~OUTPUT_FLAG__SHOW_DATA_LINK; } #ifdef ACTIVE_RESPONSE Encode_Init(); #endif return 0; }The fix might be as simple as adding this additional code to the switch...case test, but that assumes the raw PPP data is exactly same between the old
mpddriver and the newif_pppoedriver:case DLT_PPP_ETHER: slink = "PPP"; extra = "Second layer header parsing for this datalink " "isn't implemented yet"; grinder = DecodePppPkt; break; -
B bmeeks referenced this topic on
-
Yup, that's exactly what we thought. Just waiting for a build to test....
-
Opened a bug to track: https://redmine.pfsense.org/issues/16229
-
@stephenw10 said in Logging my daily changing WAN-address:
Yup, that's exactly what we thought. Just waiting for a build to test....
Note that Suricata likely has the same issue. See my comment in this thread for the relevant section of source code: https://forum.netgate.com/topic/197701/error-on-snort-with-if_pppoe/8.
