Snort mailing list archives
Snort with ERSPAN
From: "Rajput, Jawad \(CONTR\) via Snort-devel" <snort-devel () lists snort org>
Date: Mon, 5 Aug 2019 12:30:04 +0000
Good Morning, We are trying to test Snort with ERSPAN version 1 and type 1, Snort absolutely does not detect anything. I can manually take off first 38 bytes using "editcap" utility and run the PCAP through Snort with positive hits. My question is, is there a way to configure/compile snort to skip first 38 bytes while inspecting a traffic? Unfortunately, I cannot share a sample PCAP per organization policy. Jawad Rajput, CISSP System Administrator U.S. Department of Energy IM-62 /Germantown Building HQ Network Security Team Email: Jawad.Rajput () hq doe gov Office: 301-903-2176 Office: 301-903-3895 _______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort with ERSPAN Rajput, Jawad (CONTR) via Snort-devel (Aug 05)
- Re: Snort with ERSPAN Giles Coochey via Snort-devel (Aug 05)
- Re: Snort with ERSPAN Russ Combs (rucombs) via Snort-devel (Aug 05)
- Re: Snort with ERSPAN Giles Coochey via Snort-devel (Aug 05)