Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort with GRE Tunnel/ERSPAN

From: "Rajput, Jawad \(CONTR\) via Snort-devel" <snort-devel () lists snort org>
Date: Wed, 19 Dec 2018 17:02:37 +0000
Good Morning, 

I have a question about Snort  2.9.9.0 GRE (Build 56) compatibility with ERSPAN/GRE Tunnel. Snort is not generating any 
events while fed with ERSPAN. We can see data on the listening interface but Snort is not generating any events. We had 
the same issue with Bro but we fixed it by editing ini-bare.bro file and changed from encap_hdr_size = 0 line to 
encap_hdr_size = 44. My question is there a way to ignore first N bytes while inspecting tunnel traffic with Snort? 

Jawad Rajput 
System Administrator
U.S. Department of Energy 
IM-62 /Germantown Building
HQ Network Security Team
Email: Jawad.Rajput () hq doe gov
Office: 301-903-2176
Office: 301-903-3895

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: