[Snort-users] QinQ and 802.1ah headers

Al Lewis (allewi) allewi at cisco.com
Thu Oct 19 06:41:32 EDT 2017


Hello,

	So it doesn’t look like the traffic (0x88e7 tag) is supported as seen from the exit stats (ipv4 packets are zero).

===============================================================================
Breakdown by protocol (includes rebuilt packets):
Eth: 5 (100.000%)
VLAN: 5 (100.000%)
IP4: 0 ( 0.000%)



As a workaround you could try to:


1) move the capture/port mirror closer to the internal hosts so that those tags arent present.


2) run snort inline between your lan segments going outbound/inbound (before the tags are stacked on).




Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi at cisco.com 








On 10/19/17, 6:12 AM, "jan hugo prins" <jhp at jhprins.org> wrote:

>Sure,
>
>Thanks in advance,
>Jan Hugo Prins
>
>
>On 10/19/2017 11:53 AM, Al Lewis (allewi) wrote:
>> Do you have a sample that you can share?
>>
>> Snort should be able to decode those packets.
>>
>>
>> Albert Lewis
>> ENGINEER.SOFTWARE ENGINEERING
>> SOURCEfire, Inc. now part of Cisco
>> Email: allewi at cisco.com 
>>
>>
>>
>>
>>
>>
>>
>>
>> On 10/19/17, 4:01 AM, "Snort-users on behalf of jan hugo prins" <snort-users-bounces at lists.snort.org on behalf of jhp at jhprins.org> wrote:
>>
>>> Hello
>>>
>>> I'm trying to setup a snort instance to monitor some inbound traffic to
>>> my production network. We use an Avaya SPBM cloud and all servers are
>>> connected to this cloud. In the VSP7024 switches we use, I can create a
>>> port-mirroring instance and forward all traffic coming from a MAC
>>> address (in this case the BGP router of my provider) to a port on the
>>> switch and then I wanted to put snort behind this port and let it listen
>>> to all inbound traffic.
>>>
>>> When I started snort I noticed that snort was not seeing any traffic, at
>>> least not something that it could handle / analyze. I then started
>>> tcpdump to see what the traffic looked like and I saw that both the
>>> 802.1ah header with the service tag and the vlan header with the vlan
>>> tag were still in the packets. I would assume that snort can handle vlan
>>> tags, but what about 802.1ah headers with service tags, does snort know
>>> what to do with them?
>>>
>>> I thought about creating a subinterface on my linux box to strip the
>>> 802.1ah header but so far I have not found a linux driver that can do
>>> this for me.
>>>
>>> Jan Hugo
>>>
>>>
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.snort.org
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.snort.org/mailman/listinfo/snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>


More information about the Snort-users mailing list