[Snort-users] ERSPAN

Fernando Cardoso fcardoso at ...14432...
Tue Apr 1 15:15:31 EDT 2014


Hey Mike,

Yes, our switches are configured with VPC.


2014-04-01 11:54 GMT-03:00 Mike Hale <eyeronic.design at ...11827...>:

> Are your Nexus switches configured with vpc?
> On Apr 1, 2014 7:51 AM, "Fernando Cardoso" <fcardoso at ...14432...> wrote:
>
>> Thanks Carter,
>>
>> So I need to solve the Malformed packets first, have any Idea about this
>> issue? My span configuration its seem ok and my OS too, I'll looking for
>> any misconfiguration between switch and OS (virtual machine.).
>>
>>
>> Fernando C>
>>
>>
>> 2014-04-01 10:13 GMT-03:00 Carter Waxman (cwaxman) <cwaxman at ...589...>:
>>
>>>  Hello,
>>>
>>>  It appears most of the packets in "notdecoded.pcap" are malformed (in
>>> particular, the IP->GRE->IP data), and the output you are seeing is from
>>> GRE-encapsulated non-IP data (at least this is how Wireshark and Snort
>>> interpret it). The packets that are malformed are simply being dropped by
>>> Snort.
>>>
>>>  I can't speak for your network, but somehow the length fields in the
>>> outer IP headers are smaller than they should be(ex. 87 —the length without
>>> the GRE and inner ethernet headers — instead of 115 for the first packet),
>>> which is why these packets are being rejected.
>>>
>>>  -Carter
>>>
>>>   From: "Russ Combs (rucombs)" <rucombs at ...589...>
>>> Date: Monday, March 31, 2014 11:40 AM
>>> To: Fernando Cardoso <fcardoso at ...14432...>, "
>>> snort-users at lists.sourceforge.net" <snort-users at lists.sourceforge.net>
>>> Subject: Re: [Snort-users] ERSPAN
>>>
>>>   Can you send a pcap?
>>>  ------------------------------
>>> *From:* Fernando Cardoso [fcardoso at ...14432...]
>>> *Sent:* Friday, March 28, 2014 11:00 AM
>>> *To:* snort-users at lists.sourceforge.net
>>> *Subject:* [Snort-users] ERSPAN
>>>
>>>   Hello,
>>>
>>>  I'm using  Snort version 2.9.6.0 GRE (Build 47) on a Ubuntu Server to
>>> sniff ERSPAN traffic.
>>> Snort output show me entire packet of many different vlans but the
>>> source address and destination is the same configured on my switch session.
>>> Sniffing example running snort:
>>> snort -X -i eth1
>>>
>>> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>>>
>>>  03/28-11:37:15.569789 10.199.11.1 -> 10.200.10.10
>>> GRE TTL:255 TOS:0x0 ID:900 IpLen:20 DgmLen:84 DF
>>> 0x0000: 00 50 56 91 06 B7 54 7F EE 96 AC 7C 08 00 45 00  .PV...T....|..E.
>>> 0x0010: 00 54 03 84 40 00 FF 2F 65 02 0A C7 C7 01 0A 64  .T..@
>>> ../e......d
>>> 0x0020: 36 C8 10 00 88 BE 32 4E CB 44 12 6B 00 01 00 01  6.....2N.D.k....
>>> 0x0030: 00 00 02 0A BD 00 00 00 02 0A BE 00 00 00 89 03  ................
>>> 0x0040: 40 20 00 B0 D1 34 32 31 00 50 56 91 72 E3 81 00  @ ...421.PV.r...
>>> 0x0050: 02 6B 08 00 45 00 00 28 67 D8 40 00 40 06 E8 6A  .k..E..(g.@
>>> . at ...16759...
>>> 0x0060: 0A FC 13 05 BA DF 11 AD 1F 90 C6 6E 81 51 5B D9  ...........n.Q[.
>>> 0x0070: 6E 90 0F 3E 50 10 00 F2 83 5D 00 00 00 00 00 00  n..>P....]......
>>>                               ..
>>>  Where 10.199.11.1 is my source and 10.200.10.10 is my destination in
>>> my session configuration
>>>
>>>  When I use tools like tshark and gulp I can see the right source and
>>> dest not only source and dest from GRE.
>>>
>>>  My switch is a nexus 5k and my config is something like this:
>>>  session 1
>>> ---------------
>>> type              : erspan-source
>>> state             : up
>>> erspan-id         : 1
>>> vrf-name          : default
>>> destination-ip    : 10.200.10.10
>>> ip-ttl            : 255
>>> ip-dscp           : 0
>>> origin-ip         : 10.199.11.1 (global)
>>> source intf       :
>>>     rx            :
>>>     tx            :
>>>     both          :
>>> source VLANs      :
>>>     rx            : 10,50,100-150
>>>
>>>
>>>  My question is, can snort show the ip adress dest and source from
>>> decapsulated erspan like tshark and gulp?
>>>
>>>
>>>
>>
>>
>> ------------------------------------------------------------------------------
>>
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140401/386ae6f5/attachment.html>


More information about the Snort-users mailing list