Snort mailing list archives

Snort with ERSPAN

From: "Rajput, Jawad \(CONTR\) via Snort-devel" <snort-devel () lists snort org>
Date: Mon, 5 Aug 2019 12:30:04 +0000

Good Morning,

We are trying to test Snort with ERSPAN version 1 and type 1, Snort absolutely does not detect anything. I can manually 
take off first 38 bytes using "editcap" utility and run the PCAP through Snort with positive hits. 

My question is, is there a way to configure/compile snort to skip first 38 bytes while inspecting a traffic? 
Unfortunately, I cannot share a sample PCAP per organization policy.  

Jawad Rajput, CISSP
System Administrator
U.S. Department of Energy 
IM-62 /Germantown Building
HQ Network Security Team
Email: Jawad.Rajput () hq doe gov
Office: 301-903-2176
Office: 301-903-3895

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Snort with ERSPAN Rajput, Jawad (CONTR) via Snort-devel (Aug 05)
- Re: Snort with ERSPAN Giles Coochey via Snort-devel (Aug 05)
  - Re: Snort with ERSPAN Russ Combs (rucombs) via Snort-devel (Aug 05)