Snort mailing list archives
Re: Snort with ERSPAN
From: "Russ Combs \(rucombs\) via Snort-devel" <snort-devel () lists snort org>
Date: Mon, 5 Aug 2019 14:46:32 +0000
Snort should handle version 1 / type 2 as shown in that link. If you have
version 1 / type 1, that isnĀ¹t supported currently. We can look into that.
Just to confirm, do you have type 1 as defined here?
https://tools.ietf.org/html/draft-foschiano-erspan-03#section-4.1
Thanks
Russ
On 8/5/19, 8:34 AM, "Snort-devel on behalf of Giles Coochey via
Snort-devel" <snort-devel-bounces () lists snort org on behalf of
snort-devel () lists snort org> wrote:
I've been doing this by using rcdcap to decode the ERSPAN packets. As described here: https://brezular.com/2015/05/03/decapsulation-erspan-traffic-with-open-sou rce-tools/ On 05/08/2019 13:30, Rajput, Jawad (CONTR) via Snort-devel wrote:Good Morning, We are trying to test Snort with ERSPAN version 1 and type 1, Snort absolutely does not detect anything. I can manually take off first 38 bytes using "editcap" utility and run the PCAP through Snort with positive hits. My question is, is there a way to configure/compile snort to skip first 38 bytes while inspecting a traffic? Unfortunately, I cannot share a sample PCAP per organization policy. Jawad Rajput, CISSP System Administrator U.S. Department of Energy IM-62 /Germantown Building HQ Network Security Team Email: Jawad.Rajput () hq doe gov Office: 301-903-2176 Office: 301-903-3895 _______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort with ERSPAN Rajput, Jawad (CONTR) via Snort-devel (Aug 05)
- Re: Snort with ERSPAN Giles Coochey via Snort-devel (Aug 05)
- Re: Snort with ERSPAN Russ Combs (rucombs) via Snort-devel (Aug 05)
- Re: Snort with ERSPAN Giles Coochey via Snort-devel (Aug 05)