Snort mailing list archives

Re: QinQ and 802.1ah headers

From: jan hugo prins <jhp () jhprins org>
Date: Thu, 19 Oct 2017 16:41:11 +0200

That is really cool.
Could you tell me when I will be able to test it for you ;-)   ?


Jan Hugo Prins


On 10/19/2017 04:00 PM, Russ wrote:

I've got a new pbb codec for Snort++.  It will be out soon.

On 10/19/17 7:24 AM, Al Lewis (allewi) via Snort-users wrote:

Its a little easier in Snort++ than in Snort2.

There are instructions in each version for extending snorts
capabilities (within their downloads).


*Albert Lewis*

ENGINEER.SOFTWARE ENGINEERING

SOURCE*fire*, Inc. now part of *Cisco*

Email: allewi () cisco com <mailto:allewi () cisco com> 


From: Jan Hugo Prins <jhp () jhprins org <mailto:jhp () jhprins org>>
Date: Thursday, October 19, 2017 at 7:11 AM
To: allewi <allewi () cisco com <mailto:allewi () cisco com>>
Cc: "snort-users () lists snort org
<mailto:snort-users () lists snort org>" <snort-users () lists snort org
<mailto:snort-users () lists snort org>>
Subject: Re: [Snort-users] QinQ and 802.1ah headers

How much work would it be to support this header? As far as I'm
concerned it would be enough to strip the header and work with the
underneath packet.

Jan Hugo

On October 19, 2017 12:41:32 PM GMT+02:00, "Al Lewis (allewi)"
<allewi () cisco com <mailto:allewi () cisco com>> wrote:

    Hello,

     So it doesn’t look like the traffic (0x88e7 tag) is supported as seen from the exit stats (ipv4 packets are 
zero).

    ------------------------------------------------------------------------

    Breakdown by protocol (includes rebuilt packets):
    Eth: 5 (100.000%)
    VLAN: 5 (100.000%)
    IP4: 0 ( 0.000%)



    As a workaround you could try to:


    1) move the capture/port mirror closer to the internal hosts so that those tags arent present.


    2) run snort inline between your lan segments going outbound/inbound (before the tags are stacked on).




    Albert Lewis
    ENGINEER.SOFTWARE ENGINEERING
    SOURCEfire, Inc. now part of Cisco
    Email: allewi () cisco com <mailto:allewi () cisco com> 








    On 10/19/17, 6:12 AM, "jan hugo prins" <jhp () jhprins org <mailto:jhp () jhprins org>> wrote:

        Sure, Thanks in advance, Jan Hugo Prins On 10/19/2017 11:53
        AM, Al Lewis (allewi) wrote:

            Do you have a sample that you can share? Snort should be
            able to decode those packets. Albert Lewis
            ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part
            of Cisco Email: allewi () cisco com
            <mailto:allewi () cisco com> On 10/19/17, 4:01 AM,
            "Snort-users on behalf of jan hugo prins"
            <snort-users-bounces () lists snort org
            <mailto:snort-users-bounces () lists snort org> on behalf of
            jhp () jhprins org <mailto:jhp () jhprins org>> wrote:

                Hello I'm trying to setup a snort instance to monitor
                some inbound traffic to my production network. We use
                an Avaya SPBM cloud and all servers are connected to
                this cloud. In the VSP7024 switches we use, I can
                create a port-mirroring instance and forward all
                traffic coming from a MAC address (in this case the
                BGP router of my provider) to a port on the switch
                and then I wanted to put snort behind this port and
                let it listen to all inbound traffic. When I started
                snort I noticed that snort was not seeing any
                traffic, at least not something that it could handle
                / analyze. I then started tcpdump to see what the
                traffic looked like and I saw that both the 802.1ah
                header with the service tag and the vlan header with
                the vlan tag were still in the packets. I would
                assume that snort can handle vlan tags, but what
                about 802.1ah headers with service tags, does snort
                know what to do with them? I thought about creating a
                subinterface on my linux box to strip the 802.1ah
                header but so far I have not found a linux driver
                that can do this for me. Jan Hugo
                ------------------------------------------------------------------------
                Snort-users mailing list Snort-users () lists snort org
                <mailto:Snort-users () lists snort org> Go to this URL
                to change user options or unsubscribe:
                https://lists.snort.org/mailman/listinfo/snort-users
                Please visit http://blog.snort.org to stay current on
                all the latest Snort news! 

-- Sent from my Android device with K-9 Mail. Please excuse my brevity.

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

QinQ and 802.1ah headers jan hugo prins (Oct 19)
- Re: QinQ and 802.1ah headers Al Lewis (allewi) via Snort-users (Oct 19)
  - Re: QinQ and 802.1ah headers jan hugo prins (Oct 19)
    - Re: QinQ and 802.1ah headers Al Lewis (allewi) via Snort-users (Oct 19)
    - Re: QinQ and 802.1ah headers Jan Hugo Prins (Oct 19)
    - Re: QinQ and 802.1ah headers Al Lewis (allewi) via Snort-users (Oct 19)
    - Re: QinQ and 802.1ah headers Russ via Snort-users (Oct 19)
    - Re: QinQ and 802.1ah headers jan hugo prins (Oct 19)
    - Re: QinQ and 802.1ah headers Russ via Snort-users (Oct 24)