# Snort on "sniffer" interface.

## puddpunk

Hi there, This may be a little tough to grab hold of, but bear with me...

I have an ADSL modem. This modem doubles as a hub. I am soon to impliment a linux server for my families internet needs, and the ADSL modem can either operate as a router, or can be controlled with rpppoe (Point to point over ethernet). I thought that rpppoe would be the best option, because the security restrictions on the router are laughable, I managed to see the PPP password just by connecting to it, so I figured by using rpppoe, I would let linux handle all the security stuff, and the ADSL modem act, well as a modem (instead of a router).

Here is the clincher, I want to run snort OUTSIDE my firewall (on the linux box) and I read in the snort manual that you can just bring an extra interface up with no IP address and you can sniff packets when listening from a hub (a hub broadcasts packets via all ports, right?). The question is, how can I connect this up, using rpppoe?

Here are some visual aids which I'm thinking of:

```

         --------------- 

         |    ADSL     | 

         |    modem    | 

         --------------- 

                | 

         --------------- 

         |     Hub    | 

         --------------- 

          |           | 

          |           | 

      -----           ------ 

 Sniffer I/face       Router i/face 

      |                    | 

     ------------------------ 

     |                      | 

     |     Linux Server     | 

     |                      | 

     ------------------------

```

The sniffer interface has NO IP address, but should still recieve traffic from the Hub connected to the ADSL modem.

Thats all good, but the problem is, does rpppoe use some different kind of communication? Since the hub is broadcasting traffic from the ADSL modem in rpppoe mode, is snort going to be confused at all?

Can somebody else think of a better way of getting this done?

Thanks,

Chris.

----------

## Tiger

As long as the NIC you use for the sniffer I face can use promiscuous mode it should work.

----------

## puddpunk

I admit, I don't really understand PPP or rpppoe for that matter (anyone got a good link for rpppoe?). I was just thinking if the router i/face and the modem were communicating in PPP (is it different to TCP/IP?), then the snort sniffer would scratch its head with all the PPP traffic that is coming through it.

But I'll take Tigers advice and go for it anyway. Tiger: How can you tell if the NIC supports promiscuous mode? What is it exactly?

Thanks,

Chris.

----------

## puddpunk

I had another look inside my modem, and discovered it's using PPPoA encapsulation (PPP over ATM). Can I just change that to PPPoE for use with linux, or is it ISP dependant?

I don't get it! Can anybody help clear it up?

----------

## CL

I'm no expert on this subject and I haven't had to deal with it myself (although I might have to go through something like this in a couple of months when I'm moving and possibly switching from cable to DSL).

First things first: Can you see the PPP password when connecting to your modem from the outside too? Having it be visible to your local users probably isn't that much of a threat ... but if outsiders can see it then you should definitely report it to your ISP and whoever produced your modem (and maybe post it on bugtraq too).

Second: As far as I know then PPPoA support in Linux is sketchy ... at best. But take a look at http://tldp.org/HOWTO/DSL-HOWTO/ and maybe check out some of the resources they list.

Third: I'm fairly sure that you can't just set up PPPoE for Linux and expect that to work with PPPoA ... they're different creatures and have to be handled differently.

Fourth: If you can't see the PPP password from the outside then why not just run the modem in router mode? And then put in your Linux gateway to handle access control etc. And as far as I know then you don't need the second interface for Snort you can just capture things from the 'Router i/face'.

You'd use the 'promiscuous mode setup' if you had a seperate box running Snort. It would then be hard-to-impossible for intruders to see that you're using Snort and to break into your Snort box and delete the logs.

```

              --------------- 

              |    ADSL     | 

              |    modem    | 

              --------------- 

                     | 

              --------------- 

              |     Hub    | 

              --------------- 

                 |        |

          --------        --------

          |                      |

    ----------             -------------

    | Snort  |             | Gateway   |

    |  Box   |             -------------

    ----------

```

Last edited by CL on Mon Mar 17, 2003 9:14 pm; edited 1 time in total

----------

## barlad

PPPoA and PPPoE are two different protocols, both are "ISP related".

That means that if you have been using PPPoA so far to connect to 

your ISP, you have to use it. I do not know all the details but its very unlikely you can switch between PPPoE and PPPoA... I don't see how that could be possible. That said you can still call your ISP and make sure  :Smile: .

I did not understand everything. You are saying that the hub is broadcasting traffic from the ADSL in "rpppoe" mode ? What does it mean? If you are indeed using PPPoA, then communication between your linux box and your modem will be done in PPPoA, rpppoe has no place in the process.

Snort will sniff everything it comes through... that mean your external communications : your internet traffic, and your internal communications : your LAN traffic.

I never used snort but if you only want your local traffic (and skip  the rest), there are probably filters and you can filter out the pppoa traffic. There is no way it can be "confused", it just grabs what it sees, analyzes it, and reports.

Anyway I am not an expert either so hm... take my words for what it's worth i.e : not much  :Smile: 

----------

## puddpunk

Thanks for the replies guys! Just afew things:

 *CL wrote:*   

> First things first: Can you see the PPP password when connecting to your modem from the outside too? Having it be visible to your local users probably isn't that much of a threat ... but if outsiders can see it then you should definitely report it to your ISP and whoever produced your modem (and maybe post it on bugtraq too). 

 

Yes, Yes I did see it connecting from the outside interface. I rang my ISP about it and they didn't really listen, but I fixed it by myself. The point is, there are probably more holes like that in the router and I just want to keep it out of the equation.

 *CL wrote:*   

> Third: I'm fairly sure that you can't just set up PPPoE for Linux and expect that to work with PPPoA ... they're different creatures and have to be handled differently. 

 

Yea, there is a dropdown box (the ADSL modem runs a webserver from which you admin it) which has PPPoE, PPPoA and a few other options. Will I cause mahem if I change that to PPPoE because I know that is supported well under linux.

 *CL wrote:*   

> Fourth: If you can't see the PPP password from the outside then why not just run the modem in router mode? And then put in your Linux gateway to handle access control etc. And as far as I know then you don't need the second interface for Snort you can just capture things from the 'Router i/face'. 
> 
> You'd use the 'promiscuous mode setup' if you had a seperate box running Snort. It would then be hard-to-impossible for intruders to see that you're using Snort and to break into your Snort box and delete the logs. 

 

Thats looking to be the best idea at the moment. I just wanted the external IP available to the linux box so it can do things like run a mail server, instead of messing around with a seperate network between the modem and the server.

 *barlad wrote:*   

> I do not know all the details but its very unlikely you can switch between PPPoE and PPPoA... I don't see how that could be possible. That said you can still call your ISP and make sure .

 

I'm just trying to understand what PPPoE/A refers to. I just thought it was the protocol(?) that the Modem talks to the Server (my server, not the ISP one) with. If that is it, there shouldn't be any problem changing it, I don't think.

 *barlad wrote:*   

> I did not understand everything. You are saying that the hub is broadcasting traffic from the ADSL in "rpppoe" mode ? What does it mean? If you are indeed using PPPoA, then communication between your linux box and your modem will be done in PPPoA, rpppoe has no place in the process.

 

ATM and Ethernet are different. I know that much. ATM uses packets that are ALL the same size and have different formats. I was just wondering if that would confuse snort at all. Since PPPoA in linux is shoddy, I was thinking of changing it to PPPoE and I, incorrectly, assumed that the different encapsulations would just confuse snort (as snort is used to pure IP traffic).

 *barlad wrote:*   

> ort will sniff everything it comes through... that mean your external communications : your internet traffic, and your internal communications : your LAN traffic. 

 

Awesome. Thats exactly what I want!

 *barlad wrote:*   

> I never used snort but if you only want your local traffic (and skip the rest), there are probably filters and you can filter out the pppoa traffic. There is no way it can be "confused", it just grabs what it sees, analyzes it, and reports.

 

If i wanted to sniff internel traffic, I guess I could just connect the promisc interface to the central hub in my house. I wanted to connect it so the sniffer will see EVERYTHING my external interface sees, before my firewall blocks traffic. So I know whats going on.

Thanks for all your help guys, Slowly we'll get this all sorted!

Cheers,

Chris.

----------

## puddpunk

Well, I rang my ISP. They don't officially support linux   :Confused:  No surprise there considering they are in bed with Microsoft (XtraMSN)! Anyway, I managed to wrestle a few hardware details out of the guy.

MUST be PPPoA. Anything else and I break shit/get angry phone calls from ISP. Fair enough, I'll take his word for it!

DO NOT BRIDGE! whatever that means, it will have the same consequences as the first option!

He suggested that I should set it to forward all connections so my Linux machine can handle all the security thats needed (It does a better job as a firewall than the bloody nokia modem   :Evil or Very Mad:  )

 Well that's it. It's fine with me! Is there an internal way that Linux can tell it's external IP address if it's sitting behind the router/modem? Or will I have to enlist the help of a website or two?

Thanks, Chris.

----------

## konqueror

hi, i have played around a bit with such and may be able to help. First of all, the connection between your modem to PC, and connection between modem to ISP is or can be different. This means that you can possibly have pppoe to connect to the modem while your modem goes pppoa to your isp (i have such a modem). So the warnings that your isp gave you should be treated with a bit of salt - he is referring to the connection between modem and isp. If your modem can mod-demod ("modem") between the 2, there shouldnt be any problems.

Regarding setting up snort on the hub, yes, your snort will be able to see much more than what you probably want. The layers of traffic occuring at the hub will be ethernet, containing ppp, containing ethernet (that's pppoe for you. ppp carries the real traffic which your box uses, which is this case is ethernet. The pppd daemon inside your box is there to "demod" your ethernet off your ppp (oe) connection to your router, so that that's all your kernel has to see)

hth

----------

