Snort mailing list archives
Re: QinQ and 802.1ah headers
From: "Al Lewis \(allewi\) via Snort-users" <snort-users () lists snort org>
Date: Thu, 19 Oct 2017 10:41:32 +0000
Hello,
So it doesn’t look like the traffic (0x88e7 tag) is supported as seen from the exit stats (ipv4 packets are
zero).
===============================================================================
Breakdown by protocol (includes rebuilt packets):
Eth: 5 (100.000%)
VLAN: 5 (100.000%)
IP4: 0 ( 0.000%)
As a workaround you could try to:
1) move the capture/port mirror closer to the internal hosts so that those tags arent present.
2) run snort inline between your lan segments going outbound/inbound (before the tags are stacked on).
Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi () cisco com
On 10/19/17, 6:12 AM, "jan hugo prins" <jhp () jhprins org> wrote:
Sure, Thanks in advance, Jan Hugo Prins On 10/19/2017 11:53 AM, Al Lewis (allewi) wrote:Do you have a sample that you can share? Snort should be able to decode those packets. Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com On 10/19/17, 4:01 AM, "Snort-users on behalf of jan hugo prins" <snort-users-bounces () lists snort org on behalf of jhp () jhprins org> wrote:Hello I'm trying to setup a snort instance to monitor some inbound traffic to my production network. We use an Avaya SPBM cloud and all servers are connected to this cloud. In the VSP7024 switches we use, I can create a port-mirroring instance and forward all traffic coming from a MAC address (in this case the BGP router of my provider) to a port on the switch and then I wanted to put snort behind this port and let it listen to all inbound traffic. When I started snort I noticed that snort was not seeing any traffic, at least not something that it could handle / analyze. I then started tcpdump to see what the traffic looked like and I saw that both the 802.1ah header with the service tag and the vlan header with the vlan tag were still in the packets. I would assume that snort can handle vlan tags, but what about 802.1ah headers with service tags, does snort know what to do with them? I thought about creating a subinterface on my linux box to strip the 802.1ah header but so far I have not found a linux driver that can do this for me. Jan Hugo _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- QinQ and 802.1ah headers jan hugo prins (Oct 19)
- Re: QinQ and 802.1ah headers Al Lewis (allewi) via Snort-users (Oct 19)
- Re: QinQ and 802.1ah headers jan hugo prins (Oct 19)
- Re: QinQ and 802.1ah headers Al Lewis (allewi) via Snort-users (Oct 19)
- Re: QinQ and 802.1ah headers Jan Hugo Prins (Oct 19)
- Re: QinQ and 802.1ah headers Al Lewis (allewi) via Snort-users (Oct 19)
- Re: QinQ and 802.1ah headers Russ via Snort-users (Oct 19)
- Re: QinQ and 802.1ah headers jan hugo prins (Oct 19)
- Re: QinQ and 802.1ah headers Russ via Snort-users (Oct 24)
- Re: QinQ and 802.1ah headers jan hugo prins (Oct 19)
- Re: QinQ and 802.1ah headers Al Lewis (allewi) via Snort-users (Oct 19)