<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">Cool!  Does it handle multiple
      encapsulated frames now?  E.g. like this packet, which has two of
      them after the MPLS stack:<br>
      <br>
      <img alt="" src="cid:part1.03090602.01090009@somedamn.com"
        height="202" width="817"><br>
      <br>
      That's where I got stuck.<br>
      <pre class="moz-signature" cols="72">Matt</pre>
      On 7/18/2014 12:01 PM, Jason Ish wrote:<br>
    </div>
    <blockquote
cite="mid:CAPnyk9u5xk1P_jE8GaTYZa7S74beintGnT4FqYiRyxVN4JyLDQ@mail.gmail.com"
      type="cite">
      <pre wrap="">Adnan,

Great to hear.  I've updated MPLS support to handle encapsulated
ethernet as well, if you are using that. For testing purposes, I'd
rebase the patch against 2.0.2 if you are interested.  Just let me
know.

Jason

On Wed, Jul 16, 2014 at 11:29 AM, Adnan Baykal <a class="moz-txt-link-rfc2396E" href="mailto:abaykal@gmail.com"><abaykal@gmail.com></a> wrote:
</pre>
      <blockquote type="cite">
        <pre wrap="">Jason,

this is working fine. it is generating alerts and is analyzing the
http streams. I also verified that http.log is seeing ton of entries.

Thank you very much for you assistance.

On Tue, Jul 15, 2014 at 5:18 PM, Matt Carothers <a class="moz-txt-link-rfc2396E" href="mailto:matt@somedamn.com"><matt@somedamn.com></a> wrote:
</pre>
        <blockquote type="cite">
          <pre wrap="">You may (or may not) find this helpful as a starting point.  It's a patch to
strip MPLS headers from packets, so Suricata will at least function in an
MPLS environment.

Caveat: it doesn't work correctly on MPLS VPNs where multiple ethernet
frames are encapsulated into a single MPLS-tagged frame.

Matt


On 7/15/2014 12:23 PM, Jason Ish wrote:
</pre>
          <blockquote type="cite">
            <pre wrap="">
Hi Adnan,

I can take a look at decoding MPLS traffic.  Will update update you
when I have something usable.

Jason

On Mon, Jul 14, 2014 at 1:48 PM, Adnan Baykal <a class="moz-txt-link-rfc2396E" href="mailto:abaykal@gmail.com"><abaykal@gmail.com></a> wrote:
</pre>
            <blockquote type="cite">
              <pre wrap="">
are there any plans in the future to support MPLS in suricata? latest
discussions I can find are from 2011 and did not see anything since
then on the net.

Thanks
_______________________________________________
Suricata IDS Users mailing list: <a class="moz-txt-link-abbreviated" href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a>
Site: <a class="moz-txt-link-freetext" href="http://suricata-ids.org">http://suricata-ids.org</a> | Support: <a class="moz-txt-link-freetext" href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a>
List: <a class="moz-txt-link-freetext" href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a>
OISF: <a class="moz-txt-link-freetext" href="http://www.openinfosecfoundation.org/">http://www.openinfosecfoundation.org/</a>
</pre>
            </blockquote>
            <pre wrap="">
_______________________________________________
Suricata IDS Users mailing list: <a class="moz-txt-link-abbreviated" href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a>
Site: <a class="moz-txt-link-freetext" href="http://suricata-ids.org">http://suricata-ids.org</a> | Support: <a class="moz-txt-link-freetext" href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a>
List: <a class="moz-txt-link-freetext" href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a>
OISF: <a class="moz-txt-link-freetext" href="http://www.openinfosecfoundation.org/">http://www.openinfosecfoundation.org/</a>

</pre>
          </blockquote>
          <pre wrap="">
</pre>
        </blockquote>
      </blockquote>
      <pre wrap="">_______________________________________________
Suricata IDS Users mailing list: <a class="moz-txt-link-abbreviated" href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a>
Site: <a class="moz-txt-link-freetext" href="http://suricata-ids.org">http://suricata-ids.org</a> | Support: <a class="moz-txt-link-freetext" href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a>
List: <a class="moz-txt-link-freetext" href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a>
OISF: <a class="moz-txt-link-freetext" href="http://www.openinfosecfoundation.org/">http://www.openinfosecfoundation.org/</a>

</pre>
    </blockquote>
    <br>
  </body>
</html>