Snort mailing list archives
Re: QinQ and 802.1ah headers
From: jan hugo prins <jhp () jhprins org>
Date: Thu, 19 Oct 2017 16:41:11 +0200
That is really cool. Could you tell me when I will be able to test it for you ;-) ? Jan Hugo Prins On 10/19/2017 04:00 PM, Russ wrote:
I've got a new pbb codec for Snort++. It will be out soon. On 10/19/17 7:24 AM, Al Lewis (allewi) via Snort-users wrote:Its a little easier in Snort++ than in Snort2. There are instructions in each version for extending snorts capabilities (within their downloads). *Albert Lewis* ENGINEER.SOFTWARE ENGINEERING SOURCE*fire*, Inc. now part of *Cisco* Email: allewi () cisco com <mailto:allewi () cisco com> From: Jan Hugo Prins <jhp () jhprins org <mailto:jhp () jhprins org>> Date: Thursday, October 19, 2017 at 7:11 AM To: allewi <allewi () cisco com <mailto:allewi () cisco com>> Cc: "snort-users () lists snort org <mailto:snort-users () lists snort org>" <snort-users () lists snort org <mailto:snort-users () lists snort org>> Subject: Re: [Snort-users] QinQ and 802.1ah headers How much work would it be to support this header? As far as I'm concerned it would be enough to strip the header and work with the underneath packet. Jan Hugo On October 19, 2017 12:41:32 PM GMT+02:00, "Al Lewis (allewi)" <allewi () cisco com <mailto:allewi () cisco com>> wrote: Hello, So it doesn’t look like the traffic (0x88e7 tag) is supported as seen from the exit stats (ipv4 packets are zero). ------------------------------------------------------------------------ Breakdown by protocol (includes rebuilt packets): Eth: 5 (100.000%) VLAN: 5 (100.000%) IP4: 0 ( 0.000%) As a workaround you could try to: 1) move the capture/port mirror closer to the internal hosts so that those tags arent present. 2) run snort inline between your lan segments going outbound/inbound (before the tags are stacked on). Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com <mailto:allewi () cisco com> On 10/19/17, 6:12 AM, "jan hugo prins" <jhp () jhprins org <mailto:jhp () jhprins org>> wrote: Sure, Thanks in advance, Jan Hugo Prins On 10/19/2017 11:53 AM, Al Lewis (allewi) wrote: Do you have a sample that you can share? Snort should be able to decode those packets. Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com <mailto:allewi () cisco com> On 10/19/17, 4:01 AM, "Snort-users on behalf of jan hugo prins" <snort-users-bounces () lists snort org <mailto:snort-users-bounces () lists snort org> on behalf of jhp () jhprins org <mailto:jhp () jhprins org>> wrote: Hello I'm trying to setup a snort instance to monitor some inbound traffic to my production network. We use an Avaya SPBM cloud and all servers are connected to this cloud. In the VSP7024 switches we use, I can create a port-mirroring instance and forward all traffic coming from a MAC address (in this case the BGP router of my provider) to a port on the switch and then I wanted to put snort behind this port and let it listen to all inbound traffic. When I started snort I noticed that snort was not seeing any traffic, at least not something that it could handle / analyze. I then started tcpdump to see what the traffic looked like and I saw that both the 802.1ah header with the service tag and the vlan header with the vlan tag were still in the packets. I would assume that snort can handle vlan tags, but what about 802.1ah headers with service tags, does snort know what to do with them? I thought about creating a subinterface on my linux box to strip the 802.1ah header but so far I have not found a linux driver that can do this for me. Jan Hugo ------------------------------------------------------------------------ Snort-users mailing list Snort-users () lists snort org <mailto:Snort-users () lists snort org> Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! -- Sent from my Android device with K-9 Mail. Please excuse my brevity. _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- QinQ and 802.1ah headers jan hugo prins (Oct 19)
- Re: QinQ and 802.1ah headers Al Lewis (allewi) via Snort-users (Oct 19)
- Re: QinQ and 802.1ah headers jan hugo prins (Oct 19)
- Re: QinQ and 802.1ah headers Al Lewis (allewi) via Snort-users (Oct 19)
- Re: QinQ and 802.1ah headers Jan Hugo Prins (Oct 19)
- Re: QinQ and 802.1ah headers Al Lewis (allewi) via Snort-users (Oct 19)
- Re: QinQ and 802.1ah headers Russ via Snort-users (Oct 19)
- Re: QinQ and 802.1ah headers jan hugo prins (Oct 19)
- Re: QinQ and 802.1ah headers Russ via Snort-users (Oct 24)
- Re: QinQ and 802.1ah headers jan hugo prins (Oct 19)
- Re: QinQ and 802.1ah headers Al Lewis (allewi) via Snort-users (Oct 19)