Re: QinQ and 802.1ah headers

[Jan Hugo Prins <jhp () jhprins org>]

How much work would it be to support this header? As far as I'm concerned it would be enough to strip the header and 
work with the underneath packet.

Jan Hugo

On October 19, 2017 12:41:32 PM GMT+02:00, "Al Lewis (allewi)" <allewi () cisco com> wrote:
> Hello,
>
>       So it doesn’t look like the traffic (0x88e7 tag) is supported as seen
> from the exit stats (ipv4 packets are zero).
>
> ===============================================================================
> Breakdown by protocol (includes rebuilt packets):
> Eth: 5 (100.000%)
> VLAN: 5 (100.000%)
> IP4: 0 ( 0.000%)
>
>
>
> As a workaround you could try to:
>
>
> 1) move the capture/port mirror closer to the internal hosts so that
> those tags arent present.
>
>
> 2) run snort inline between your lan segments going outbound/inbound
> (before the tags are stacked on).
>
>
>
>
> Albert Lewis
> ENGINEER.SOFTWARE ENGINEERING
> SOURCEfire, Inc. now part of Cisco
> Email: allewi () cisco com 
>
>
>
>
>
>
>
>
> On 10/19/17, 6:12 AM, "jan hugo prins" <jhp () jhprins org> wrote:
>
> > Sure,
> >
> > Thanks in advance,
> > Jan Hugo Prins
> >
> >
> > On 10/19/2017 11:53 AM, Al Lewis (allewi) wrote:
> > > Do you have a sample that you can share?
> > >
> > > Snort should be able to decode those packets.
> > >
> > >
> > > Albert Lewis
> > > ENGINEER.SOFTWARE ENGINEERING
> > > SOURCEfire, Inc. now part of Cisco
> > > Email: allewi () cisco com 
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > On 10/19/17, 4:01 AM, "Snort-users on behalf of jan hugo prins"
> <snort-users-bounces () lists snort org on behalf of jhp () jhprins org>
> wrote:
> > > > Hello
> > > >
> > > > I'm trying to setup a snort instance to monitor some inbound
> traffic to
> > > > my production network. We use an Avaya SPBM cloud and all servers
> are
> > > > connected to this cloud. In the VSP7024 switches we use, I can
> create a
> > > > port-mirroring instance and forward all traffic coming from a MAC
> > > > address (in this case the BGP router of my provider) to a port on
> the
> > > > switch and then I wanted to put snort behind this port and let it
> listen
> > > > to all inbound traffic.
> > > >
> > > > When I started snort I noticed that snort was not seeing any
> traffic, at
> > > > least not something that it could handle / analyze. I then started
> > > > tcpdump to see what the traffic looked like and I saw that both the
> > > > 802.1ah header with the service tag and the vlan header with the
> vlan
> > > > tag were still in the packets. I would assume that snort can handle
> vlan
> > > > tags, but what about 802.1ah headers with service tags, does snort
> know
> > > > what to do with them?
> > > >
> > > > I thought about creating a subinterface on my linux box to strip
> the
> > > > 802.1ah header but so far I have not found a linux driver that can
> do
> > > > this for me.
> > > >
> > > > Jan Hugo
> > > >
> > > >
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users () lists snort org
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.snort.org/mailman/listinfo/snort-users
> > > >
> > > > Please visit http://blog.snort.org to stay current on all the
> latest Snort news!
> >

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!