Snort mailing list archives

Problems with MPLS traffic

From: Packet Hack <pckthck () gmail com>
Date: Fri, 31 Jan 2014 14:07:42 -0500

Our network recently began implementing MPLS. As snort is MPLS compatible,
we weren't expecting any problems. However, our event count declined
significantly immediately after the change was made.

I did some digging, and it seems that snort may have problems with MPLS
packets. I did a capture with the PF_RING tcpdump with the following
filters (I note that tcpdump itself doesn't seem to be able to decode MPLS
well):

  mpls
  not mpls

Running snort with -vX on the mpls capture and the non-mpls capture
shows that snort can decode each.

    % snort -vX -r /tmp/mpls-3.cap
    [...]

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

    01/31-13:10:06.582169 50.X.X.X:53246 -> X.X.X.X:80
    TCP TTL:49 TOS:0x0 ID:51174 IpLen:20 DgmLen:410 DF
    ***AP*** Seq: 0x25E8887F  Ack: 0x1016E18E  Win: 0x202B  TcpLen: 32
    TCP Options (3) => NOP NOP TS: 457447060 365150107
    0x0000: 3C DF 1E 8C C3 00 A4 4C 11 E5 49 C0 88 47 00 A8
 <......L..I..G..
    0x0010: A1 31 45 00 01 9A C7 E6 40 00 31 06 E4 DA 32 XX  .1E.....@
.1...2P
    0x0020: XX XX XX XX XX XX CF FE 00 50 25 E8 88 7F 10 16
 ....J....P%.....
    0x0030: E1 8E 80 18 20 2B 6D 3B 00 00 01 01 08 0A 1B 44  ....
+m;.......D
    0x0040: 16 94 15 C3 BF 9B 47 45 54 20 2F 77 70 2D 63 6F  ......GET
/wp-co
    0x0050: 6E 74 65 6E 74 2F 74 68 65 6D 65 73 2F 75 66 6C
 ntent/themes/ufl
    0x0060: 2F 6C 69 62 72 61 72 79 2F 6A 73 2F 61 75 74 6F
 /library/js/auto

Stats (edited):

    Packet I/O Totals:
       Received:        10000
       Analyzed:        10000 (100.000%)
        Dropped:            0 (  0.000%)
       Filtered:            0 (  0.000%)
    Outstanding:            0 (  0.000%)
       Injected:            0

===============================================================================
    Breakdown by protocol (includes rebuilt packets):
            Eth:        10000 (100.000%)
            IP4:        10000 (100.000%)
            TCP:        10000 (100.000%)
    [....]
           MPLS:        10000 (100.000%)


    %snort -vX -r /tmp/not-mpls.cap (works as expected)

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

    01/31-11:38:03.216943 X.X.X.X:56010 -> 64.X.X.X:80
    TCP TTL:125 TOS:0x0 ID:1733 IpLen:20 DgmLen:1420 DF
    ***A**** Seq: 0xF5F77CAF  Ack: 0xF2B2F688  Win: 0x101  TcpLen: 20
    0x0000: 00 0E 83 C6 9B 40 A4 4C 11 E5 49 C0 08 00 45 00
 .....@.L..I...E.
    0x0010: 05 8C 06 C5 40 00 7D 06 2D 25 XX XX XX XX XX XX
 ....@.}.-%...h@8
    0x0020: XX F0 DA CA 00 50 F5 F7 7C AF F2 B2 F6 88 50 10
 _....P..|.....P.
    0x0030: 01 01 40 EE 00 00 47 45 54 20 2F 64 61 74 61 2F  ..@...GET
/data/

However, when run like so against the MPLS capture:

    % snort -F /tmp/bpf -vX -r /tmp/mpls-3.cap

with a BPF file containing only

    port 80

snort finishes without decoding a single packet:

    Packet I/O Totals:
       Received:            0
       Analyzed:            0 (  0.000%)
        Dropped:            0 (  0.000%)
       Filtered:            0 (  0.000%)
    Outstanding:            0 (  0.000%)
       Injected:            0
    [...]
            Eth:            0 (  0.000%)
           VLAN:            0 (  0.000%)
            IP4:            0 (  0.000%)
           Frag:            0 (  0.000%)
           ICMP:            0 (  0.000%)
            UDP:            0 (  0.000%)
            TCP:            0 (  0.000%)
    [...]
           MPLS:            0 (  0.000%)

If the same logic used to apply the BPF filter to MPLS rules is used
to apply port specifications in snort rules, snort will be missing lots
of packets, especially rules with $HTTP_PORTS . I don't know if
that's the case, however.

System info:

    Production snort host
    ---------------------
    OS          : ubuntu 10.04
    snort       : 2.9.5.6/PF_RING daq 5.6.1

The capture files were also tested here:

    Test machine
    ------------
    OS          : Red Hat Enterprise Linux Server release 6.5 (Santiago)
    snort       : 2.9.6.0/Centos RPM from snort.org

with the same results.

If there's something we need to do to get this working, please let us know.

Capture files available on request.

-- pckthck

------------------------------------------------------------------------------
WatchGuard Dimension instantly turns raw network data into actionable 
security intelligence. It gives you real-time visual feedback on key
security issues and trends.  Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Problems with MPLS traffic Packet Hack (Jan 31)
- Re: Problems with MPLS traffic Steven Sturges (Feb 01)
  - Re: Problems with MPLS traffic Packet Hack (Feb 17)