Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    error on snort with if_pppoe

    Scheduled Pinned Locked Moved IDS/IPS
    9 Posts 3 Posters 525 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • fireodoF
      fireodo
      last edited by fireodo

      Hi, @bmeeks

      when enabling the new if_pppoe driver snort refuses to start on the pppoe0 with this error:

      "FATAL ERROR: Cannot decode data link type 51"

      have you a idea where the trouble is?
      😢

      Kettop Mi4300YL CPU: i5-4300Y @ 1.60GHz RAM: 8GB Ethernet Ports: 4
      SSD: SanDisk pSSD-S2 16GB (ZFS) WiFi: WLE200NX
      pfsense 2.8.0 CE
      Packages: Apcupsd, Cron, Iftop, Iperf, LCDproc, Nmap, pfBlockerNG, RRD_Summary, Shellcmd, Snort, Speedtest, System_Patches.

      S bmeeksB 2 Replies Last reply Reply Quote 0
      • S
        slu @fireodo
        last edited by

        @fireodo not a solution, but snort on the WAN doesn't make sense.

        pfSense Gold subscription

        fireodoF 1 Reply Last reply Reply Quote 0
        • fireodoF
          fireodo @slu
          last edited by

          @slu said in error on snort with if_pppoe:

          @fireodo not a solution, but snort on the WAN doesn't make sense.

          Agree, but in some special cases it makes sense 😉

          Kettop Mi4300YL CPU: i5-4300Y @ 1.60GHz RAM: 8GB Ethernet Ports: 4
          SSD: SanDisk pSSD-S2 16GB (ZFS) WiFi: WLE200NX
          pfsense 2.8.0 CE
          Packages: Apcupsd, Cron, Iftop, Iperf, LCDproc, Nmap, pfBlockerNG, RRD_Summary, Shellcmd, Snort, Speedtest, System_Patches.

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @fireodo
            last edited by bmeeks

            @fireodo said in error on snort with if_pppoe:

            Hi, @bmeeks

            when enabling the new if_pppoe driver snort refuses to start on the pppoe0 with this error:

            "FATAL ERROR: Cannot decode data link type 51"

            have you a idea where the trouble is?
            😢

            Not sure exactly, but sounds like the new proprietary PPPoE kernel driver does not play well with PCAP (which is what the Legacy Blocking Mode uses). I suspect Inline IPS Mode operation may fail as well unless the new kernel driver handles netmap seamlessly. The problem is likely within the DAQ module from Snort upstream. Since 2.9.x Snort is on the way to extinction, I would not expect this to be addressed.

            Snort by default uses libpcap to attach to the configured interface and get a copy of the packets flowing. A long time ago Suricata upstream added special code to make it work with libpcap and PPPoE interfaces. I suspect a similar problem now exists for Snort (and probably Suricata as well) with the new Netgate-developed proprietary PPPoE kernel driver.

            fireodoF 1 Reply Last reply Reply Quote 0
            • fireodoF
              fireodo @bmeeks
              last edited by

              @bmeeks

              Hi,
              and thanks for the enlightenment!

              Regards,
              fireodo

              Kettop Mi4300YL CPU: i5-4300Y @ 1.60GHz RAM: 8GB Ethernet Ports: 4
              SSD: SanDisk pSSD-S2 16GB (ZFS) WiFi: WLE200NX
              pfsense 2.8.0 CE
              Packages: Apcupsd, Cron, Iftop, Iperf, LCDproc, Nmap, pfBlockerNG, RRD_Summary, Shellcmd, Snort, Speedtest, System_Patches.

              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by bmeeks

                This would be something only the Netgate team can fix since they developed the new PPPoE kernel module and the source code for the driver is currently not public.

                It will likely require changes in either the C source code of the Snort DAQ binary package, or alterations to the new if_pppoe kernel module so that it mimics existing mpd behavior with libpcap.

                fireodoF 1 Reply Last reply Reply Quote 1
                • fireodoF
                  fireodo @bmeeks
                  last edited by

                  @bmeeks said in error on snort with if_pppoe:

                  This would be something only the Netgate team can fix since they developed the new PPPoE kernel module and the source code for the driver is currently not public.

                  I have informed @stephenw10 too and he will dig deeper ... ( https://forum.netgate.com/post/1216662 )

                  Kettop Mi4300YL CPU: i5-4300Y @ 1.60GHz RAM: 8GB Ethernet Ports: 4
                  SSD: SanDisk pSSD-S2 16GB (ZFS) WiFi: WLE200NX
                  pfsense 2.8.0 CE
                  Packages: Apcupsd, Cron, Iftop, Iperf, LCDproc, Nmap, pfBlockerNG, RRD_Summary, Shellcmd, Snort, Speedtest, System_Patches.

                  1 Reply Last reply Reply Quote 0
                  • bmeeksB
                    bmeeks
                    last edited by

                    I've posted a follow-up in this thread: https://forum.netgate.com/topic/196893/logging-my-daily-changing-wan-address/38.

                    1 Reply Last reply Reply Quote 1
                    • bmeeksB
                      bmeeks
                      last edited by bmeeks

                      Looks like Suricata's binary part will have the same issue as Snort. It is missing a match for the LINKTYPE_PPP_ETHER link type as well --

                      The relevant code is within src/decode.h starting at line 1122,

                      static inline void DecodeLinkLayer(ThreadVars *tv, DecodeThreadVars *dtv,
        const int datalink, Packet *p, const uint8_t *data, const uint32_t len)
{
    /* call the decoder */
    switch (datalink) {
        case LINKTYPE_ETHERNET:
            DecodeEthernet(tv, dtv, p, data, len);
            break;
        case LINKTYPE_LINUX_SLL:
            DecodeSll(tv, dtv, p, data, len);
            break;
        case LINKTYPE_PPP:
            DecodePPP(tv, dtv, p, data, len);
            break;
        case LINKTYPE_RAW:
        case LINKTYPE_GRE_OVER_IP:
            DecodeRaw(tv, dtv, p, data, len);
            break;
        case LINKTYPE_NULL:
            DecodeNull(tv, dtv, p, data, len);
            break;
       case LINKTYPE_CISCO_HDLC:
            DecodeCHDLC(tv, dtv, p, data, len);
            break;
        default:
            SCLogError("datalink type "
                       "%" PRId32 " not yet supported",
                    datalink);
            break;
    }
}

                      An edit like the one below will probably work (again, as with Snort, if the raw PPP data is the same in the two link types) --

                      static inline void DecodeLinkLayer(ThreadVars *tv, DecodeThreadVars *dtv,
        const int datalink, Packet *p, const uint8_t *data, const uint32_t len)
{
    /* call the decoder */
    switch (datalink) {
        case LINKTYPE_ETHERNET:
            DecodeEthernet(tv, dtv, p, data, len);
            break;
        case LINKTYPE_LINUX_SLL:
            DecodeSll(tv, dtv, p, data, len);
            break;
        case LINKTYPE_PPP:
        case LINKTYPE_PPP_ETHER:
            DecodePPP(tv, dtv, p, data, len);
            break;
        case LINKTYPE_RAW:
        case LINKTYPE_GRE_OVER_IP:
            DecodeRaw(tv, dtv, p, data, len);
            break;
        case LINKTYPE_NULL:
            DecodeNull(tv, dtv, p, data, len);
            break;
       case LINKTYPE_CISCO_HDLC:
            DecodeCHDLC(tv, dtv, p, data, len);
            break;
        default:
            SCLogError("datalink type "
                       "%" PRId32 " not yet supported",
                    datalink);
            break;
    }
}
                      1 Reply Last reply Reply Quote 0
                      • bmeeksB bmeeks referenced this topic
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.