[Snort-users] ERSPAN

Fernando Cardoso fcardoso at ...14432...
Fri Mar 28 11:00:04 EDT 2014


Hello,

I'm using  Snort version 2.9.6.0 GRE (Build 47) on a Ubuntu Server to sniff
ERSPAN traffic.
Snort output show me entire packet of many different vlans but the source
address and destination is the same configured on my switch session.
Sniffing example running snort:
snort -X -i eth1
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/28-11:37:15.569789 10.199.11.1 -> 10.200.10.10
GRE TTL:255 TOS:0x0 ID:900 IpLen:20 DgmLen:84 DF
0x0000: 00 50 56 91 06 B7 54 7F EE 96 AC 7C 08 00 45 00  .PV...T....|..E.
0x0010: 00 54 03 84 40 00 FF 2F 65 02 0A C7 C7 01 0A 64  .T.. at ...846.../e......d
0x0020: 36 C8 10 00 88 BE 32 4E CB 44 12 6B 00 01 00 01  6.....2N.D.k....
0x0030: 00 00 02 0A BD 00 00 00 02 0A BE 00 00 00 89 03  ................
0x0040: 40 20 00 B0 D1 34 32 31 00 50 56 91 72 E3 81 00  @ ...421.PV.r...
0x0050: 02 6B 08 00 45 00 00 28 67 D8 40 00 40 06 E8 6A  .k..E..(g. at ...843...@..j
0x0060: 0A FC 13 05 BA DF 11 AD 1F 90 C6 6E 81 51 5B D9  ...........n.Q[.
0x0070: 6E 90 0F 3E 50 10 00 F2 83 5D 00 00 00 00 00 00  n..>P....]......
                              ..
Where 10.199.11.1 is my source and 10.200.10.10 is my destination in my
session configuration

When I use tools like tshark and gulp I can see the right source and dest
not only source and dest from GRE.

My switch is a nexus 5k and my config is something like this:
session 1
---------------
type              : erspan-source
state             : up
erspan-id         : 1
vrf-name          : default
destination-ip    : 10.200.10.10
ip-ttl            : 255
ip-dscp           : 0
origin-ip         : 10.199.11.1 (global)
source intf       :
    rx            :
    tx            :
    both          :
source VLANs      :
    rx            : 10,50,100-150


My question is, can snort show the ip adress dest and source from
decapsulated erspan like tshark and gulp?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140328/1cd9f5d5/attachment.html>


More information about the Snort-users mailing list