Project

General

Profile

Actions
Copy link

Bug #16229

open

Snort cannot run on if_pppoe interfaces

Added by Steve Wheeler 3 months ago. Updated about 2 months ago.

Status:
Confirmed
Priority:
Normal
Assignee:
-
Category:
Snort
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
2.8.0
Affected Plus Version:
25.07
Affected Architecture:
All

Description

Snort will fail to start if enabled on a PPPoE interfaces using the new if_pppoe module:

Jun 4 13:57:25     snort     40131     Acquiring network traffic from "pppoe0".
Jun 4 13:57:25     snort     40131     Initializing daemon mode
Jun 4 13:57:25     snort     1649     Daemon initialized, signaled parent pid: 40131
Jun 4 13:57:25     snort     1649     Reload thread starting...
Jun 4 13:57:25     snort     1649     Reload thread started, thread 0x3e191fa16d00 (1649)
Jun 4 13:57:25     snort     1649     FATAL ERROR: Cannot decode data link type 51

This appears to be because the interface returns encapsulated traffic when capturing on it and Snort doesn't currently decode that.

Tested in 2.8 with Snort package 4.1.6_25

See: https://forum.netgate.com/post/1216659

Actions
Copy link

Also available in: Atom PDF