Re: QinQ and 802.1ah headers

["Al Lewis \(allewi\) via Snort-users" <snort-users () lists snort org>]

Its a little easier in Snort++ than in Snort2.

There are instructions in each version for extending snorts capabilities (within their downloads).


Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi () cisco com<mailto:allewi () cisco com>

From: Jan Hugo Prins <jhp () jhprins org<mailto:jhp () jhprins org>>
Date: Thursday, October 19, 2017 at 7:11 AM
To: allewi <allewi () cisco com<mailto:allewi () cisco com>>
Cc: "snort-users () lists snort org<mailto:snort-users () lists snort org>" <snort-users () lists snort 
org<mailto:snort-users () lists snort org>>
Subject: Re: [Snort-users] QinQ and 802.1ah headers

How much work would it be to support this header? As far as I'm concerned it would be enough to strip the header and 
work with the underneath packet.

Jan Hugo

On October 19, 2017 12:41:32 PM GMT+02:00, "Al Lewis (allewi)" <allewi () cisco com<mailto:allewi () cisco com>> wrote:

Hello,

 So it doesn’t look like the traffic (0x88e7 tag) is supported as seen from the exit stats (ipv4 packets are zero).

________________________________

Breakdown by protocol (includes rebuilt packets):
Eth: 5 (100.000%)
VLAN: 5 (100.000%)
IP4: 0 ( 0.000%)



As a workaround you could try to:


1) move the capture/port mirror closer to the internal hosts so that those tags arent present.


2) run snort inline between your lan segments going outbound/inbound (before the tags are stacked on).




Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi () cisco com<mailto:allewi () cisco com>








On 10/19/17, 6:12 AM, "jan hugo prins" <jhp () jhprins org<mailto:jhp () jhprins org>> wrote:

Sure,

Thanks in advance,
Jan Hugo Prins


On 10/19/2017 11:53 AM, Al Lewis (allewi) wrote:
 Do you have a sample that you can share?

 Snort should be able to decode those packets.


 Albert Lewis
 ENGINEER.SOFTWARE ENGINEERING
 SOURCEfire, Inc. now part of Cisco
 Email: allewi () cisco com<mailto:allewi () cisco com>








 On 10/19/17, 4:01 AM, "Snort-users on behalf of jan hugo prins" <snort-users-bounces () lists snort 
org<mailto:snort-users-bounces () lists snort org> on behalf of jhp () jhprins org<mailto:jhp () jhprins org>> wrote:

 Hello

 I'm trying to setup a snort instance to monitor some inbound traffic to
 my production network. We use an Avaya SPBM cloud and all servers are
 connected to this cloud. In the VSP7024 switches we use, I can create a
 port-mirroring instance and forward all traffic coming from a MAC
 address (in this case the BGP router of my provider) to a port on the
 switch and then I wanted to put snort behind this port and let it listen
 to all inbound traffic.

 When I started snort I noticed that snort was not seeing any traffic, at
 least not something that it could handle / analyze. I then started
 tcpdump to see what the traffic looked like and I saw that both the
 802.1ah header with the service tag and the vlan header with the vlan
 tag were still in the packets. I would assume that snort can handle vlan
 tags, but what about 802.1ah headers with service tags, does snort know
 what to do with them?

 I thought about creating a subinterface on my linux box to strip the
 802.1ah header but so far I have not found a linux driver that can do
 this for me.

 Jan Hugo


________________________________

 Snort-users mailing list
 Snort-users () lists snort org<mailto:Snort-users () lists snort org>
 Go to this URL to change user options or unsubscribe:
 https://lists.snort.org/mailman/listinfo/snort-users

 Please visit http://blog.snort.org to stay current on all the latest Snort news!


--
Sent from my Android device with K-9 Mail. Please excuse my brevity.

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!