Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ERSPAN and IDS

From: "Carter Waxman (cwaxman)" <cwaxman () cisco com>
Date: Thu, 2 Oct 2014 13:22:22 +0000
Hi Steven,


From what I remember, that issue was related to additional headers being present in the traffic… Do you have any 
information regarding the actual traffic / headers? Try enabling all decoder alerts. Also, take a look at the 
per-protocol statistics printed when Snort exits. If Snort is giving up because of a strange header, it should be 
evident how far it is actually decoding…


Also, this should be on snort-users. Adding…

Thanks,
Carter

From: <Rigby>, Steven <RigbyS () byui edu<mailto:RigbyS () byui edu>>
Date: Tuesday, September 30, 2014 at 11:11 AM
To: Carter Waxman <cwaxman () cisco com<mailto:cwaxman () cisco com>>
Subject: ERSPAN and IDS

Hi Carter,
I saw your post online about issues pulling out the correct source/dest IP from ERSPAN traffic.  I have the same issue… 
I have a VM on a UCS server where it is receiving ERSPAN traffic and the only IP that gets decoded is the span 
source/dest IP.  Tshark will decode and show the correct traffic.

Were you able to find a workaround to get the correct IP’s to show up?

Thank you for your help!!

Steve

Steven Rigby PhD
Department Chair / Faculty
Computer Information Technology Department
BYU-Idaho


------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: