Snort mailing list archives
Re: Problems with MPLS traffic
From: Steven Sturges <steve.sturges () sourcefire com>
Date: Sat, 01 Feb 2014 17:00:04 -0500
Hi-- Thanks for the report. BPF is actually handled prior to the packets reaching Snort itself. When Snort gets the packet -- and as you demonstrate, decode mpls traffic -- it will apply the IP addresses and ports within the preprocessor configurations and rules correctly. Cheers. -steve On 1/31/14 2:07 PM, Packet Hack wrote:
Our network recently began implementing MPLS. As snort is MPLS compatible, we weren't expecting any problems. However, our event count declined significantly immediately after the change was made. I did some digging, and it seems that snort may have problems with MPLS packets. I did a capture with the PF_RING tcpdump with the following filters (I note that tcpdump itself doesn't seem to be able to decode MPLS well): mpls not mpls Running snort with -vX on the mpls capture and the non-mpls capture shows that snort can decode each. % snort -vX -r /tmp/mpls-3.cap [...] =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 01/31-13:10:06.582169 50.X.X.X:53246 -> X.X.X.X:80 TCP TTL:49 TOS:0x0 ID:51174 IpLen:20 DgmLen:410 DF ***AP*** Seq: 0x25E8887F Ack: 0x1016E18E Win: 0x202B TcpLen: 32 TCP Options (3) => NOP NOP TS: 457447060 365150107 0x0000: 3C DF 1E 8C C3 00 A4 4C 11 E5 49 C0 88 47 00 A8 <......L..I..G.. 0x0010: A1 31 45 00 01 9A C7 E6 40 00 31 06 E4 DA 32 XX .1E.....@.1...2P 0x0020: XX XX XX XX XX XX CF FE 00 50 25 E8 88 7F 10 16 ....J....P%..... 0x0030: E1 8E 80 18 20 2B 6D 3B 00 00 01 01 08 0A 1B 44 .... +m;.......D 0x0040: 16 94 15 C3 BF 9B 47 45 54 20 2F 77 70 2D 63 6F ......GET /wp-co 0x0050: 6E 74 65 6E 74 2F 74 68 65 6D 65 73 2F 75 66 6C ntent/themes/ufl 0x0060: 2F 6C 69 62 72 61 72 79 2F 6A 73 2F 61 75 74 6F /library/js/auto Stats (edited): Packet I/O Totals: Received: 10000 Analyzed: 10000 (100.000%) Dropped: 0 ( 0.000%) Filtered: 0 ( 0.000%) Outstanding: 0 ( 0.000%) Injected: 0 =============================================================================== Breakdown by protocol (includes rebuilt packets): Eth: 10000 (100.000%) IP4: 10000 (100.000%) TCP: 10000 (100.000%) [....] MPLS: 10000 (100.000%) %snort -vX -r /tmp/not-mpls.cap (works as expected) =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 01/31-11:38:03.216943 X.X.X.X:56010 -> 64.X.X.X:80 TCP TTL:125 TOS:0x0 ID:1733 IpLen:20 DgmLen:1420 DF ***A**** Seq: 0xF5F77CAF Ack: 0xF2B2F688 Win: 0x101 TcpLen: 20 0x0000: 00 0E 83 C6 9B 40 A4 4C 11 E5 49 C0 08 00 45 00 .....@.L..I...E. 0x0010: 05 8C 06 C5 40 00 7D 06 2D 25 XX XX XX XX XX XX ....@.}.-%...h@8 0x0020: XX F0 DA CA 00 50 F5 F7 7C AF F2 B2 F6 88 50 10 _....P..|.....P. 0x0030: 01 01 40 EE 00 00 47 45 54 20 2F 64 61 74 61 2F ..@...GET /data/ However, when run like so against the MPLS capture: % snort -F /tmp/bpf -vX -r /tmp/mpls-3.cap with a BPF file containing only port 80 snort finishes without decoding a single packet: Packet I/O Totals: Received: 0 Analyzed: 0 ( 0.000%) Dropped: 0 ( 0.000%) Filtered: 0 ( 0.000%) Outstanding: 0 ( 0.000%) Injected: 0 [...] Eth: 0 ( 0.000%) VLAN: 0 ( 0.000%) IP4: 0 ( 0.000%) Frag: 0 ( 0.000%) ICMP: 0 ( 0.000%) UDP: 0 ( 0.000%) TCP: 0 ( 0.000%) [...] MPLS: 0 ( 0.000%) If the same logic used to apply the BPF filter to MPLS rules is used to apply port specifications in snort rules, snort will be missing lots of packets, especially rules with $HTTP_PORTS . I don't know if that's the case, however. System info: Production snort host --------------------- OS : ubuntu 10.04 snort : 2.9.5.6/PF_RING <http://2.9.5.6/PF_RING> daq 5.6.1 The capture files were also tested here: Test machine ------------ OS : Red Hat Enterprise Linux Server release 6.5 (Santiago) snort : 2.9.6.0/Centos <http://2.9.6.0/Centos> RPM from snort.org <http://snort.org> with the same results. If there's something we need to do to get this working, please let us know. Capture files available on request. -- pckthck
------------------------------------------------------------------------------ WatchGuard Dimension instantly turns raw network data into actionable security intelligence. It gives you real-time visual feedback on key security issues and trends. Skip the complicated setup - simply import a virtual appliance and go from zero to informed in seconds. http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Problems with MPLS traffic Packet Hack (Jan 31)
- Re: Problems with MPLS traffic Steven Sturges (Feb 01)
- Re: Problems with MPLS traffic Packet Hack (Feb 17)
- Re: Problems with MPLS traffic Steven Sturges (Feb 01)