PPPOE issue; Snort new rules;

blagynchy

well i use pppoe connetion from my isp ive configure out all thigs and they works ^^ maybe on magic or something;d

anyway here is an picture (and log) were shows on em1(wan cable) ive set other macAddr to use it with ppp interface.

$ ifconfig
em0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
	options=209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic>ether 00:d0:68:xx:xx:xx
	inet 10.8.133.1 netmask 0xffffff00 broadcast 10.8.133.255
	inet6 fe80::2d0:68ff:fe0c:AABB%em0 prefixlen 64 scopeid 0x1 
	nd6 options=1 <performnud>media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
em1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
	options=209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic>ether 00:13:8f:xx:xx:xx
	inet6 fe80::213:8fff:feXX:AABB%em1 prefixlen 64 scopeid 0x2
	nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
em2: flags=8802 <broadcast,simplex,multicast>metric 0 mtu 1500
	options=209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic>ether 00:d0:68:xx:xx:xx
	media: Ethernet autoselect
	status: no carrier
enc0: flags=0<> metric 0 mtu 1536
pfsync0: flags=0<> metric 0 mtu 1460
	syncpeer: 224.0.0.240 maxupd: 128 syncok: 1
pflog0: flags=100 <promisc>metric 0 mtu 33192
lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
	options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000 
	inet6 ::1 prefixlen 128 
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 
	nd6 options=3 <performnud,accept_rtadv>pppoe0: flags=88d1 <up,pointopoint,running,noarp,simplex,multicast>metric 0 mtu 1492
	inet6 fe80::2d0:68ff:fe0c:AABB%pppoe0 prefixlen 64 scopeid 0x8 
	inet 213.231.x.x --> 213.231.x.x netmask 0xffffffff 
	nd6 options=3<performnud,accept_rtadv></performnud,accept_rtadv></up,pointopoint,running,noarp,simplex,multicast></performnud,accept_rtadv></rxcsum,txcsum></up,loopback,running,multicast></promisc></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic></broadcast,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic></up,broadcast,running,simplex,multicast></full-duplex></performnud></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic></up,broadcast,running,promisc,simplex,multicast>

machine is symantec;
You can see the mistakes here…
in the left side there is Mac addr string shows zeroes real (that ive set it is 00:13:8f is gone), and on right side the type of link is gone too on Lan channel show 100FD..

Ok, now the snort rules. add the files from here needs only a reg and md5 sum to get the file..  https://www.snort.org/account/oinkcode

Subscriber Release

http://www.snort.org/sub-rules/<filename>/ <oinkcode here="">Registered User Release

http://www.snort.org/reg-rules/<filename>/ <oinkcode here="">snortrules-snapshot-2931.tar.gz\snortrules-snapshot-2931.tar:

etc/
etc/classification.config
etc/gen-msg.map
etc/reference.config
etc/sid-msg.map
etc/snort.conf
etc/threshold.conf
etc/unicode.map
preproc_rules/
preproc_rules/decoder.rules
preproc_rules/preprocessor.rules
preproc_rules/sensitive-data.rules
rules/
many files ^^
so_rules/
more many files ^^

```</oinkcode></filename></oinkcode></filename>

blagynchy

no one about pppoe ?!?