Bug #16229
open
Snort cannot run on if_pppoe interfaces
0%
Description
Snort will fail to start if enabled on a PPPoE interfaces using the new if_pppoe module:
Jun 4 13:57:25 snort 40131 Acquiring network traffic from "pppoe0". Jun 4 13:57:25 snort 40131 Initializing daemon mode Jun 4 13:57:25 snort 1649 Daemon initialized, signaled parent pid: 40131 Jun 4 13:57:25 snort 1649 Reload thread starting... Jun 4 13:57:25 snort 1649 Reload thread started, thread 0x3e191fa16d00 (1649) Jun 4 13:57:25 snort 1649 FATAL ERROR: Cannot decode data link type 51
This appears to be because the interface returns encapsulated traffic when capturing on it and Snort doesn't currently decode that.
Tested in 2.8 with Snort package 4.1.6_25
Updated by Steve Wheeler 3 months ago
- Affected Version set to 2.8.0
- Affected Plus Version set to 25.03
Updated by Sayed Mohammad Badiezadegan 3 months ago
- Status changed from New to Confirmed
Updated by Jim Pingle 2 months ago
- Affected Plus Version changed from 25.03 to 25.07
Updated by Andrew Bruce about 2 months ago
Steve Wheeler wrote:
Snort will fail to start if enabled on a PPPoE interfaces using the new if_pppoe module:
[...]
This appears to be because the interface returns encapsulated traffic when capturing on it and Snort doesn't currently decode that.
Tested in 2.8 with Snort package 4.1.6_25
This also impacts Suricata on 25.07 and if_pppoe as well - if Suricata is left running on the WAN PPPoE interface, it will log to suricata.log for the PPPoE interface and fill up the filesystem. My log location is at /var/log/suricata/suricata_pppoe0862/suricata.log and was 19GB when firewall traffic degraded.
Log file was filled with the following, logged multiple times per second:
Error: pcap: datalink type 51 not yet supported