[Snort-users] ERSPAN

Mike Hale eyeronic.design at ...11827...
Tue Apr 1 10:54:06 EDT 2014


Are your Nexus switches configured with vpc?
On Apr 1, 2014 7:51 AM, "Fernando Cardoso" <fcardoso at ...14432...> wrote:

> Thanks Carter,
>
> So I need to solve the Malformed packets first, have any Idea about this
> issue? My span configuration its seem ok and my OS too, I'll looking for
> any misconfiguration between switch and OS (virtual machine.).
>
>
> Fernando C>
>
>
> 2014-04-01 10:13 GMT-03:00 Carter Waxman (cwaxman) <cwaxman at ...589...>:
>
>>  Hello,
>>
>>  It appears most of the packets in "notdecoded.pcap" are malformed (in
>> particular, the IP->GRE->IP data), and the output you are seeing is from
>> GRE-encapsulated non-IP data (at least this is how Wireshark and Snort
>> interpret it). The packets that are malformed are simply being dropped by
>> Snort.
>>
>>  I can't speak for your network, but somehow the length fields in the
>> outer IP headers are smaller than they should be(ex. 87 --the length without
>> the GRE and inner ethernet headers -- instead of 115 for the first packet),
>> which is why these packets are being rejected.
>>
>>  -Carter
>>
>>   From: "Russ Combs (rucombs)" <rucombs at ...589...>
>> Date: Monday, March 31, 2014 11:40 AM
>> To: Fernando Cardoso <fcardoso at ...14432...>, "
>> snort-users at lists.sourceforge.net" <snort-users at lists.sourceforge.net>
>> Subject: Re: [Snort-users] ERSPAN
>>
>>   Can you send a pcap?
>>  ------------------------------
>> *From:* Fernando Cardoso [fcardoso at ...14432...]
>> *Sent:* Friday, March 28, 2014 11:00 AM
>> *To:* snort-users at lists.sourceforge.net
>> *Subject:* [Snort-users] ERSPAN
>>
>>   Hello,
>>
>>  I'm using  Snort version 2.9.6.0 GRE (Build 47) on a Ubuntu Server to
>> sniff ERSPAN traffic.
>> Snort output show me entire packet of many different vlans but the source
>> address and destination is the same configured on my switch session.
>> Sniffing example running snort:
>> snort -X -i eth1
>>
>> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>>
>>  03/28-11:37:15.569789 10.199.11.1 -> 10.200.10.10
>> GRE TTL:255 TOS:0x0 ID:900 IpLen:20 DgmLen:84 DF
>> 0x0000: 00 50 56 91 06 B7 54 7F EE 96 AC 7C 08 00 45 00  .PV...T....|..E.
>> 0x0010: 00 54 03 84 40 00 FF 2F 65 02 0A C7 C7 01 0A 64  .T.. at ...846.../e......d
>> 0x0020: 36 C8 10 00 88 BE 32 4E CB 44 12 6B 00 01 00 01  6.....2N.D.k....
>> 0x0030: 00 00 02 0A BD 00 00 00 02 0A BE 00 00 00 89 03  ................
>> 0x0040: 40 20 00 B0 D1 34 32 31 00 50 56 91 72 E3 81 00  @ ...421.PV.r...
>> 0x0050: 02 6B 08 00 45 00 00 28 67 D8 40 00 40 06 E8 6A  .k..E..(g. at ...843...@..j
>> 0x0060: 0A FC 13 05 BA DF 11 AD 1F 90 C6 6E 81 51 5B D9  ...........n.Q[.
>> 0x0070: 6E 90 0F 3E 50 10 00 F2 83 5D 00 00 00 00 00 00  n..>P....]......
>>                               ..
>>  Where 10.199.11.1 is my source and 10.200.10.10 is my destination in my
>> session configuration
>>
>>  When I use tools like tshark and gulp I can see the right source and
>> dest not only source and dest from GRE.
>>
>>  My switch is a nexus 5k and my config is something like this:
>>  session 1
>> ---------------
>> type              : erspan-source
>> state             : up
>> erspan-id         : 1
>> vrf-name          : default
>> destination-ip    : 10.200.10.10
>> ip-ttl            : 255
>> ip-dscp           : 0
>> origin-ip         : 10.199.11.1 (global)
>> source intf       :
>>     rx            :
>>     tx            :
>>     both          :
>> source VLANs      :
>>     rx            : 10,50,100-150
>>
>>
>>  My question is, can snort show the ip adress dest and source from
>> decapsulated erspan like tshark and gulp?
>>
>>
>>
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140401/41942eda/attachment.html>


More information about the Snort-users mailing list