Snort mailing list archives

Re: Snort OTV Inspection

From: Da Pozzo Matteo <m.dapozzo () reply it>
Date: Tue, 26 Jul 2016 13:03:28 +0000

Hi Albert,

Yes of course! Please see attached the pcap file. (note: Wireshark 2.0.4 won’t recognize properly the packets, you 
might need Wireshark 1.12)

[cid:image002.jpg@01D1E74E.DD370190]

Thanks,

Matteo

Matteo Da Pozzo

Communication Valley
Via Robert Koch, 1/4
20152 - Milano - ITALY
phone: +39 02 535761
mobile: +39 345 4954311
m.dapozzo () reply it<mailto:m.dapozzo () reply it>
www.reply.it


[Communication Valley]

From: Al Lewis (allewi) [mailto:allewi () cisco com]
Sent: martedì 26 luglio 2016 14:05
To: Da Pozzo Matteo <m.dapozzo () reply it>; snort-devel () lists sourceforge net
Cc: Grazzani Marco <m.grazzani () reply it>
Subject: Re: [Snort-devel] Snort OTV Inspection

Can you provide a pcap of the traffic please?

Thanks.

Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi () cisco com<mailto:allewi () cisco com>

From: Da Pozzo Matteo <m.dapozzo () reply it<mailto:m.dapozzo () reply it>>
Date: Tuesday, July 26, 2016 at 7:36 AM
To: "snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>" <snort-devel () lists 
sourceforge net<mailto:snort-devel () lists sourceforge net>>
Cc: Grazzani Marco <m.grazzani () reply it<mailto:m.grazzani () reply it>>
Subject: [Snort-devel] Snort OTV Inspection

Hi Snort Developer community,

It’s the first time for me that I try to write on this list so I hope it is the correct way to ask this question.

I would like to know if anyone tried to inspect the payload of a OTV encapsulated packet. I tried to analyze a ICMP 
ECHO and REPLY encapsulated in OTV with SNORT 2.9.8 (Build 335) and it seems to not recognize ICMP in OTV. Anyone have 
experience on this?

Thanks!

Below posted the test output:

snort --daq-dir /usr/local/sf/lib/daq -r ICMP.ECHO.and.REPLY.over.OTV.pcap.pcapng
Running in packet dump mode

        --== Initializing Snort ==--
Initializing Output Plugins!
pcap DAQ configured to read-file.
Acquiring network traffic from "ICMP.ECHO.and.REPLY.over.OTV.pcap.pcapng".

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.8 GRE (Build 335)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.1.1
           Using PCRE version: 7.4 2007-09-21
           Using ZLIB version: 1.2.5

Commencing packet processing (pid=22601)
WARNING: No preprocessors configured for policy 0.
08/17-21:27:36.262536 150.1.38.3 -> 150.1.78.7
GRE TTL:254 TOS:0x0 ID:2605 IpLen:20 DgmLen:1500 DF
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

WARNING: No preprocessors configured for policy 0.
08/17-21:27:36.263098 150.1.78.7 -> 150.1.38.3
GRE TTL:253 TOS:0x0 ID:2720 IpLen:20 DgmLen:1500 DF
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

===============================================================================
Run time for packet processing was 0.1477 seconds
Snort processed 2 packets.
Snort ran for 0 days 0 hours 0 minutes 0 seconds
   Pkts/sec:            2
===============================================================================
Memory usage summary:
  Total non-mmapped bytes (arena):       786432
  Bytes in mapped regions (hblkhd):      21590016
  Total allocated space (uordblks):      711648
  Total free space (fordblks):           74784
  Topmost releasable block (keepcost):   39616
===============================================================================
Packet I/O Totals:
   Received:            2
   Analyzed:            2 (100.000%)
    Dropped:            0 (  0.000%)
   Filtered:            0 (  0.000%)
Outstanding:            0 (  0.000%)
   Injected:            0
===============================================================================
Breakdown by protocol (includes rebuilt packets):
        Eth:            2 (100.000%)
       VLAN:            0 (  0.000%)
        IP4:            2 (100.000%)
       Frag:            0 (  0.000%)
       ICMP:            0 (  0.000%)
        UDP:            0 (  0.000%)
        TCP:            0 (  0.000%)
        IP6:            0 (  0.000%)
    IP6 Ext:            0 (  0.000%)
   IP6 Opts:            0 (  0.000%)
      Frag6:            0 (  0.000%)
      ICMP6:            0 (  0.000%)
       UDP6:            0 (  0.000%)
       TCP6:            0 (  0.000%)
     Teredo:            0 (  0.000%)
    ICMP-IP:            0 (  0.000%)
    IP4/IP4:            0 (  0.000%)
    IP4/IP6:            0 (  0.000%)
    IP6/IP4:            0 (  0.000%)
    IP6/IP6:            0 (  0.000%)
        GRE:            2 (100.000%)
    GRE Eth:            0 (  0.000%)
   GRE VLAN:            0 (  0.000%)
    GRE IP4:            0 (  0.000%)
    GRE IP6:            0 (  0.000%)
GRE IP6 Ext:            0 (  0.000%)
   GRE PPTP:            0 (  0.000%)
    GRE ARP:            0 (  0.000%)
    GRE IPX:            0 (  0.000%)
   GRE Loop:            0 (  0.000%)
       MPLS:            0 (  0.000%)
        ARP:            0 (  0.000%)
        IPX:            0 (  0.000%)
   Eth Loop:            0 (  0.000%)
   Eth Disc:            0 (  0.000%)
   IP4 Disc:            0 (  0.000%)
   IP6 Disc:            0 (  0.000%)
   TCP Disc:            0 (  0.000%)
   UDP Disc:            0 (  0.000%)
  ICMP Disc:            0 (  0.000%)
All Discard:            0 (  0.000%)
      Other:            2 (100.000%)
Bad Chk Sum:            0 (  0.000%)
    Bad TTL:            0 (  0.000%)
     S5 G 1:            0 (  0.000%)
     S5 G 2:            0 (  0.000%)
      Total:            2
===============================================================================
Snort exiting

Thanks,

Matteo

Matteo Da Pozzo

Communication Valley
Via Robert Koch, 1/4
20152 - Milano - ITALY
phone: +39 02 535761
mobile: +39 345 4954311
m.dapozzo () reply it<mailto:m.dapozzo () reply it>
www.reply.it


[Communication Valley]


________________________________

--
The information transmitted is intended for the person or entity to which it is addressed and may contain confidential 
and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in 
reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received 
this in error, please contact the sender and delete the material from any computer.

________________________________

--
The information transmitted is intended for the person or entity to which it is addressed and may contain confidential 
and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in 
reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received 
this in error, please contact the sender and delete the material from any computer.

Attachment: OTV-icmpecho&icmpreply.pcap.pcapng
Description: OTV-icmpecho&icmpreply.pcap.pcapng

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Snort OTV Inspection Da Pozzo Matteo (Jul 26)
- Re: Snort OTV Inspection Al Lewis (allewi) (Jul 26)
  - Re: Snort OTV Inspection Da Pozzo Matteo (Jul 26)