Snort mailing list archives
Re: ERSPAN
From: "Carter Waxman (cwaxman)" <cwaxman () cisco com>
Date: Tue, 1 Apr 2014 13:13:57 +0000
Hello, It appears most of the packets in "notdecoded.pcap" are malformed (in particular, the IP->GRE->IP data), and the output you are seeing is from GRE-encapsulated non-IP data (at least this is how Wireshark and Snort interpret it). The packets that are malformed are simply being dropped by Snort. I can't speak for your network, but somehow the length fields in the outer IP headers are smaller than they should be(ex. 87 —the length without the GRE and inner ethernet headers — instead of 115 for the first packet), which is why these packets are being rejected. -Carter From: "Russ Combs (rucombs)" <rucombs () cisco com<mailto:rucombs () cisco com>> Date: Monday, March 31, 2014 11:40 AM To: Fernando Cardoso <fcardoso () ymail com<mailto:fcardoso () ymail com>>, "snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>" <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>> Subject: Re: [Snort-users] ERSPAN Can you send a pcap? ________________________________ From: Fernando Cardoso [fcardoso () ymail com<mailto:fcardoso () ymail com>] Sent: Friday, March 28, 2014 11:00 AM To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: [Snort-users] ERSPAN Hello, I'm using Snort version 2.9.6.0 GRE (Build 47) on a Ubuntu Server to sniff ERSPAN traffic. Snort output show me entire packet of many different vlans but the source address and destination is the same configured on my switch session. Sniffing example running snort: snort -X -i eth1 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/28-11:37:15.569789 10.199.11.1 -> 10.200.10.10 GRE TTL:255 TOS:0x0 ID:900 IpLen:20 DgmLen:84 DF 0x0000: 00 50 56 91 06 B7 54 7F EE 96 AC 7C 08 00 45 00 .PV...T....|..E. 0x0010: 00 54 03 84 40 00 FF 2F 65 02 0A C7 C7 01 0A 64 .T..@../e......d 0x0020: 36 C8 10 00 88 BE 32 4E CB 44 12 6B 00 01 00 01 6.....2N.D.k.... 0x0030: 00 00 02 0A BD 00 00 00 02 0A BE 00 00 00 89 03 ................ 0x0040: 40 20 00 B0 D1 34 32 31 00 50 56 91 72 E3 81 00 @ ...421.PV.r... 0x0050: 02 6B 08 00 45 00 00 28 67 D8 40 00 40 06 E8 6A .k..E..(g.@.@..j 0x0060: 0A FC 13 05 BA DF 11 AD 1F 90 C6 6E 81 51 5B D9 ...........n.Q[. 0x0070: 6E 90 0F 3E 50 10 00 F2 83 5D 00 00 00 00 00 00 n..>P....]...... .. Where 10.199.11.1 is my source and 10.200.10.10 is my destination in my session configuration When I use tools like tshark and gulp I can see the right source and dest not only source and dest from GRE. My switch is a nexus 5k and my config is something like this: session 1 --------------- type : erspan-source state : up erspan-id : 1 vrf-name : default destination-ip : 10.200.10.10 ip-ttl : 255 ip-dscp : 0 origin-ip : 10.199.11.1 (global) source intf : rx : tx : both : source VLANs : rx : 10,50,100-150 My question is, can snort show the ip adress dest and source from decapsulated erspan like tshark and gulp?
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: ERSPAN Carter Waxman (cwaxman) (Apr 01)
- Re: ERSPAN Fernando Cardoso (Apr 01)
- Re: ERSPAN Mike Hale (Apr 01)
- Re: ERSPAN Fernando Cardoso (Apr 01)
- Re: ERSPAN Mike Hale (Apr 01)
- Re: ERSPAN Fernando Cardoso (Apr 02)
- Re: ERSPAN Mike Hale (Apr 01)
- Re: ERSPAN Fernando Cardoso (Apr 01)