Snort mailing list archives

Re: Snort with ERSPAN

From: Giles Coochey via Snort-devel <snort-devel () lists snort org>
Date: Mon, 5 Aug 2019 13:34:10 +0100

I've been doing this by using rcdcap to decode the ERSPAN packets.

As described here:https://brezular.com/2015/05/03/decapsulation-erspan-traffic-with-open-source-tools/


On 05/08/2019 13:30, Rajput, Jawad (CONTR) via Snort-devel wrote:

Good Morning,

We are trying to test Snort with ERSPAN version 1 and type 1, Snort absolutely does not detect anything. I can manually take off 
first 38 bytes using "editcap" utility and run the PCAP through Snort with positive hits.

My question is, is there a way to configure/compile snort to skip first 38 bytes while inspecting a traffic? 
Unfortunately, I cannot share a sample PCAP per organization policy.

Jawad Rajput, CISSP
System Administrator
U.S. Department of Energy
IM-62 /Germantown Building
HQ Network Security Team
Email: Jawad.Rajput () hq doe gov
Office: 301-903-2176
Office: 301-903-3895

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Snort with ERSPAN Rajput, Jawad (CONTR) via Snort-devel (Aug 05)
- Re: Snort with ERSPAN Giles Coochey via Snort-devel (Aug 05)
  - Re: Snort with ERSPAN Russ Combs (rucombs) via Snort-devel (Aug 05)