[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-users
Subject: Re: [Snort-users] QinQ and 802.1ah headers
From: Russ via Snort-users <snort-users () lists ! snort ! org>
Date: 2017-10-24 13:55:29
Message-ID: c807ecf1-5c8d-37cd-14a0-23fb533cc268 () cisco ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi - the codec is on github now. It is in the extras. Follow the steps
in extra/README to build and run with those external plugins.
Hope that helps.
Russ
On 10/19/17 10:41 AM, jan hugo prins wrote:
> That is really cool.
> Could you tell me when I will be able to test it for you ;-) ?
>
>
> Jan Hugo Prins
>
>
> On 10/19/2017 04:00 PM, Russ wrote:
> > I've got a new pbb codec for Snort++. It will be out soon.
> >
> > On 10/19/17 7:24 AM, Al Lewis (allewi) via Snort-users wrote:
> > > Its a little easier in Snort++ than in Snort2.
> > >
> > > There are instructions in each version for extending snorts
> > > capabilities (within their downloads).
> > >
> > >
> > > *Albert Lewis*
> > >
> > > ENGINEER.SOFTWARE ENGINEERING
> > >
> > > SOURCE*fire*, Inc. now part of *Cisco*
> > >
> > > Email: allewi@cisco.com <mailto:allewi@cisco.com>
> > >
> > >
> > > From: Jan Hugo Prins <jhp@jhprins.org <mailto:jhp@jhprins.org>>
> > > Date: Thursday, October 19, 2017 at 7:11 AM
> > > To: allewi <allewi@cisco.com <mailto:allewi@cisco.com>>
> > > Cc: "snort-users@lists.snort.org
> > > <mailto:snort-users@lists.snort.org>" <snort-users@lists.snort.org
> > > <mailto:snort-users@lists.snort.org>>
> > > Subject: Re: [Snort-users] QinQ and 802.1ah headers
> > >
> > > How much work would it be to support this header? As far as I'm
> > > concerned it would be enough to strip the header and work with the
> > > underneath packet.
> > >
> > > Jan Hugo
> > >
> > > On October 19, 2017 12:41:32 PM GMT+02:00, "Al Lewis (allewi)"
> > > <allewi@cisco.com <mailto:allewi@cisco.com>> wrote:
> > >
> > > Hello,
> > >
> > > So it doesn’t look like the traffic (0x88e7 tag) is supported as seen from the \
> > > exit stats (ipv4 packets are zero).
> > > ------------------------------------------------------------------------
> > >
> > > Breakdown by protocol (includes rebuilt packets):
> > > Eth: 5 (100.000%)
> > > VLAN: 5 (100.000%)
> > > IP4: 0 ( 0.000%)
> > >
> > >
> > >
> > > As a workaround you could try to:
> > >
> > >
> > > 1) move the capture/port mirror closer to the internal hosts so that those tags \
> > > arent present.
> > >
> > > 2) run snort inline between your lan segments going outbound/inbound (before \
> > > the tags are stacked on).
> > >
> > >
> > >
> > > Albert Lewis
> > > ENGINEER.SOFTWARE ENGINEERING
> > > SOURCEfire, Inc. now part of Cisco
> > > Email:allewi@cisco.com <mailto:allewi@cisco.com>
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > On 10/19/17, 6:12 AM, "jan hugo prins" <jhp@jhprins.org \
> > > <mailto:jhp@jhprins.org>> wrote:
> > > Sure, Thanks in advance, Jan Hugo Prins On 10/19/2017 11:53
> > > AM, Al Lewis (allewi) wrote:
> > >
> > > Do you have a sample that you can share? Snort should be
> > > able to decode those packets. Albert Lewis
> > > ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part
> > > of Cisco Email: allewi@cisco.com
> > > <mailto:allewi@cisco.com> On 10/19/17, 4:01 AM,
> > > "Snort-users on behalf of jan hugo prins"
> > > <snort-users-bounces@lists.snort.org
> > > <mailto:snort-users-bounces@lists.snort.org> on behalf
> > > of jhp@jhprins.org <mailto:jhp@jhprins.org>> wrote:
> > >
> > > Hello I'm trying to setup a snort instance to
> > > monitor some inbound traffic to my production
> > > network. We use an Avaya SPBM cloud and all servers
> > > are connected to this cloud. In the VSP7024 switches
> > > we use, I can create a port-mirroring instance and
> > > forward all traffic coming from a MAC address (in
> > > this case the BGP router of my provider) to a port
> > > on the switch and then I wanted to put snort behind
> > > this port and let it listen to all inbound traffic.
> > > When I started snort I noticed that snort was not
> > > seeing any traffic, at least not something that it
> > > could handle / analyze. I then started tcpdump to
> > > see what the traffic looked like and I saw that both
> > > the 802.1ah header with the service tag and the vlan
> > > header with the vlan tag were still in the packets.
> > > I would assume that snort can handle vlan tags, but
> > > what about 802.1ah headers with service tags, does
> > > snort know what to do with them? I thought about
> > > creating a subinterface on my linux box to strip the
> > > 802.1ah header but so far I have not found a linux
> > > driver that can do this for me. Jan Hugo
> > > ------------------------------------------------------------------------
> > > Snort-users mailing list Snort-users@lists.snort.org
> > > <mailto:Snort-users@lists.snort.org> Go to this URL
> > > to change user options or unsubscribe:
> > > https://lists.snort.org/mailman/listinfo/snort-users
> > > Please visit http://blog.snort.org to stay current
> > > on all the latest Snort news!
> > >
> > > -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users@lists.snort.org
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.snort.org/mailman/listinfo/snort-users
> > >
> > > Please visithttp://blog.snort.org to stay current on all the latest Snort \
> > > news!
[Attachment #5 (text/html)]
<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi - the codec is on github now. It is in the extras. Follow the
steps in extra/README to build and run with those external plugins.<br>
<br>
Hope that helps.<br>
Russ<br>
<br>
<div class="moz-cite-prefix">On 10/19/17 10:41 AM, jan hugo prins
wrote:<br>
</div>
<blockquote
cite="mid:0002ba93-24b7-b03d-883b-c648174b10f1@jhprins.org"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
That is really cool.<br>
Could you tell me when I will be able to test it for you ;-) ?<br>
<br>
<br>
Jan Hugo Prins<br>
<br>
<br>
<div class="moz-cite-prefix">On 10/19/2017 04:00 PM, Russ wrote:<br>
</div>
<blockquote type="cite"
cite="mid:e1307d1d-4ed2-2a40-5793-b12bb27b3234@cisco.com"> I've
got a new pbb codec for Snort++. It will be out soon.<br>
<br>
<div class="moz-cite-prefix">On 10/19/17 7:24 AM, Al Lewis
(allewi) via Snort-users wrote:<br>
</div>
<blockquote
cite="mid:D830AF72-68C1-4CFE-AAC5-731D53EF3A0B@cisco.com"
type="cite">
<div>
<div>Its a little easier in Snort++ than in Snort2.</div>
<div><br>
</div>
<div>There are instructions in each version for extending
snorts capabilities (within their downloads).</div>
<div><br>
</div>
<div><br>
</div>
<div>
<div id="MAC_OUTLOOK_SIGNATURE">
<div>
<p class="MsoNormal" style="font-family:
-webkit-standard; margin: 0in 0in 0.0001pt;
font-size: 11pt;"> <b><span style="font-size: 12pt;
color: rgb(31, 73, 125);"><font face="Courier">Albert
Lewis<o:p></o:p></font></span></b></p>
<p class="MsoNormal" style="font-family:
-webkit-standard; margin: 0in 0in 0.0001pt;
font-size: 11pt;"> <font color="#7f7f7f">ENGINEER.SOFTWARE
ENGINEERING</font></p>
<p class="MsoNormal" style="font-family:
-webkit-standard; margin: 0in 0in 0.0001pt;
font-size: 11pt;"> <font face="Courier"><span
style="color: rgb(153, 153, 153); font-size:
12pt;">SOURCE</span><b><span style="font-size:
12pt; color: red;">fire</span></b><span
style="color: rgb(153, 153, 153); font-size:
12pt;">, Inc. </span><span style="color:
rgb(136, 136, 136); font-size: 12pt;">now part
of </span><b><span style="font-size: 12pt;"><font
color="#00007f">Cisco</font></span></b></font></p>
<p class="MsoNormal" style="font-family:
-webkit-standard; margin: 0in 0in 0.0001pt;
font-size: 11pt;"> <font face="Courier"><span
style="font-size: 12pt; color: rgb(153, 153,
153);">Email: </span><span style="font-size:
12pt;"><a moz-do-not-send="true"
href="mailto:allewi@cisco.com" style="color:
purple;">allewi@cisco.com</a><span
style="color: rgb(79, 129, 189);"> \
</span></span></font></p> </div>
</div>
</div>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:12pt;
text-align:left; color:black; BORDER-BOTTOM: medium none;
BORDER-LEFT: medium none; PADDING-BOTTOM: 0in;
PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df
1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt"> <span
style="font-weight:bold">From: </span>Jan Hugo Prins
<<a moz-do-not-send="true"
href="mailto:jhp@jhprins.org">jhp@jhprins.org</a>><br>
<span style="font-weight:bold">Date: </span>Thursday,
October 19, 2017 at 7:11 AM<br>
<span style="font-weight:bold">To: </span>allewi <<a
moz-do-not-send="true" \
href="mailto:allewi@cisco.com">allewi@cisco.com</a>><br> <span \
style="font-weight:bold">Cc: </span>"<a moz-do-not-send="true"
href="mailto:snort-users@lists.snort.org">snort-users@lists.snort.org</a>"
<<a moz-do-not-send="true"
href="mailto:snort-users@lists.snort.org">snort-users@lists.snort.org</a>><br>
<span style="font-weight:bold">Subject: </span>Re:
[Snort-users] QinQ and 802.1ah headers<br>
</div>
<div><br>
</div>
<span style="mso-bookmark:_MailOriginalBody">
<div>
<div>How much work would it be to support this header?
As far as I'm concerned it would be enough to strip
the header and work with the underneath packet.<br>
<br>
Jan Hugo<br>
<br>
<div class="gmail_quote">On October 19, 2017 12:41:32
PM GMT+02:00, "Al Lewis (allewi)" <<a
moz-do-not-send="true"
href="mailto:allewi@cisco.com">allewi@cisco.com</a>>
wrote:
<blockquote class="gmail_quote" style="margin: 0pt
0pt 0pt 0.8ex; border-left: 1px solid rgb(204,
204, 204); padding-left: 1ex;">
<pre class="k9mail">Hello,
So it doesn’t look like the traffic (0x88e7 tag) is supported as seen from the exit \
stats (ipv4 packets are zero).
<hr>
Breakdown by protocol (includes rebuilt packets):
Eth: 5 (100.000%)
VLAN: 5 (100.000%)
IP4: 0 ( 0.000%)
As a workaround you could try to:
1) move the capture/port mirror closer to the internal hosts so that those tags arent \
present.
2) run snort inline between your lan segments going outbound/inbound (before the tags \
are stacked on).
Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: <a moz-do-not-send="true" href="mailto:allewi@cisco.com">allewi@cisco.com</a>
On 10/19/17, 6:12 AM, "jan hugo prins" <<a moz-do-not-send="true" \
href="mailto:jhp@jhprins.org">jhp@jhprins.org</a>> wrote:
<blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px \
solid #729fcf; padding-left: 1ex;">Sure,
Thanks in advance,
Jan Hugo Prins
On 10/19/2017 11:53 AM, Al Lewis (allewi) wrote:
<blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px \
solid #ad7fa8; padding-left: 1ex;"> Do you have a sample that you can share?
Snort should be able to decode those packets.
Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: <a moz-do-not-send="true" href="mailto:allewi@cisco.com">allewi@cisco.com</a> \
On 10/19/17, 4:01 AM, "Snort-users on behalf of jan hugo prins" <<a \
moz-do-not-send="true" \
href="mailto:snort-users-bounces@lists.snort.org">snort-users-bounces@lists.snort.org</a> \
on behalf of <a moz-do-not-send="true" \
href="mailto:jhp@jhprins.org">jhp@jhprins.org</a>> wrote:
<blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px \
solid #8ae234; padding-left: 1ex;"> Hello
I'm trying to setup a snort instance to monitor some inbound traffic to
my production network. We use an Avaya SPBM cloud and all servers are
connected to this cloud. In the VSP7024 switches we use, I can create a
port-mirroring instance and forward all traffic coming from a MAC
address (in this case the BGP router of my provider) to a port on the
switch and then I wanted to put snort behind this port and let it listen
to all inbound traffic.
When I started snort I noticed that snort was not seeing any traffic, at
least not something that it could handle / analyze. I then started
tcpdump to see what the traffic looked like and I saw that both the
802.1ah header with the service tag and the vlan header with the vlan
tag were still in the packets. I would assume that snort can handle vlan
tags, but what about 802.1ah headers with service tags, does snort know
what to do with them?
I thought about creating a subinterface on my linux box to strip the
802.1ah header but so far I have not found a linux driver that can do
this for me.
Jan Hugo
<hr>
Snort-users mailing list
<a moz-do-not-send="true" \
href="mailto:Snort-users@lists.snort.org">Snort-users@lists.snort.org</a> Go to this \
URL to change user options or unsubscribe: <a moz-do-not-send="true" \
href="https://lists.snort.org/mailman/listinfo/snort-users">https://lists.snort.org/mailman/listinfo/snort-users</a>
Please visit <a moz-do-not-send="true" \
href="http://blog.snort.org">http://blog.snort.org</a> to stay current on all the \
latest Snort news! </blockquote></blockquote>
</blockquote></pre>
</blockquote>
</div>
-- Sent from my Android device with K-9 Mail. Please
excuse my brevity. </div>
</div>
</span></span>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre wrap="">_______________________________________________
Snort-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Snort-users@lists.snort.org" \
moz-do-not-send="true">Snort-users@lists.snort.org</a> Go to this URL to change user \
options or unsubscribe: <a class="moz-txt-link-freetext" \
href="https://lists.snort.org/mailman/listinfo/snort-users" \
moz-do-not-send="true">https://lists.snort.org/mailman/listinfo/snort-users</a>
Please visit <a class="moz-txt-link-freetext" href="http://blog.snort.org" \
moz-do-not-send="true">http://blog.snort.org</a> to stay current on all the latest \
Snort news! </pre>
</blockquote>
</blockquote>
</blockquote>
</body></html>
_______________________________________________
Snort-users mailing list
Snort-users@lists.snort.org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic