[Snort-devel] Snort with GRE Tunnel/ERSPAN

Rajput, Jawad (CONTR) Jawad.Rajput at hq.doe.gov
Wed Dec 19 12:02:37 EST 2018


Good Morning, 

I have a question about Snort  2.9.9.0 GRE (Build 56) compatibility with ERSPAN/GRE Tunnel. Snort is not generating any events while fed with ERSPAN. We can see data on the listening interface but Snort is not generating any events. We had the same issue with Bro but we fixed it by editing ini-bare.bro file and changed from encap_hdr_size = 0 line to encap_hdr_size = 44. My question is there a way to ignore first N bytes while inspecting tunnel traffic with Snort? 

Jawad Rajput 
System Administrator
U.S. Department of Energy 
IM-62 /Germantown Building
HQ Network Security Team
Email: Jawad.Rajput at hq.doe.gov
Office: 301-903-2176
Office: 301-903-3895



More information about the Snort-devel mailing list