Snort mailing list archives
Re: ERSPAN and IDS
From: "Carter Waxman (cwaxman)" <cwaxman () cisco com>
Date: Thu, 2 Oct 2014 13:22:22 +0000
Hi Steven,
From what I remember, that issue was related to additional headers being present in the traffic… Do you have any information regarding the actual traffic / headers? Try enabling all decoder alerts. Also, take a look at the per-protocol statistics printed when Snort exits. If Snort is giving up because of a strange header, it should be evident how far it is actually decoding…
Also, this should be on snort-users. Adding… Thanks, Carter From: <Rigby>, Steven <RigbyS () byui edu<mailto:RigbyS () byui edu>> Date: Tuesday, September 30, 2014 at 11:11 AM To: Carter Waxman <cwaxman () cisco com<mailto:cwaxman () cisco com>> Subject: ERSPAN and IDS Hi Carter, I saw your post online about issues pulling out the correct source/dest IP from ERSPAN traffic. I have the same issue… I have a VM on a UCS server where it is receiving ERSPAN traffic and the only IP that gets decoded is the span source/dest IP. Tshark will decode and show the correct traffic. Were you able to find a workaround to get the correct IP’s to show up? Thank you for your help!! Steve Steven Rigby PhD Department Chair / Faculty Computer Information Technology Department BYU-Idaho
------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: ERSPAN and IDS Carter Waxman (cwaxman) (Oct 02)