[Oisf-users] No alerts firing on interface recieving erspan; esx migration continued
Jay M.
jskier at gmail.com
Sat Dec 20 15:16:39 UTC 2014
Hello,
I've got suricata running and churning away on an interface recieving
erspan from a Cisco 7k (so GRE header in front on all packets). It
appears to be flowing however no alerts are firing (using ET Pro). I
verified that the traffic flow matches my other rspan to the extent of
using gulp to strip off the GRE headers and piping into tcpdump on the
VM. There are alerts firing on the other rspan box, which should also
fire on the new esx suricata VM. suricata log indicates no errors with
the errors (I also have some local ones).
I don't see dns or tcp sessions though, which is odd. I'm running the
2.1beta2 version.
Is there something I need to do to configure the gre decorder? it
appears to be decoding properly based on the stats.log (alert debug
log is empty):
-------------------------------------------------------------------
Date: 12/20/2014 -- 09:11:26 (uptime: 0d, 00h 21m 59s)
-------------------------------------------------------------------
Counter | TM Name | Value
-------------------------------------------------------------------
capture.kernel_packets | RxPcaprspan01 | 1135762
capture.kernel_drops | RxPcaprspan01 | 0
capture.kernel_ifdrops | RxPcaprspan01 | 0
dns.memuse | RxPcaprspan01 | 0
dns.memcap_state | RxPcaprspan01 | 0
dns.memcap_global | RxPcaprspan01 | 0
decoder.pkts | RxPcaprspan01 | 1135692
decoder.bytes | RxPcaprspan01 | 482596790
decoder.invalid | RxPcaprspan01 | 0
decoder.ipv4 | RxPcaprspan01 | 1134774
decoder.ipv6 | RxPcaprspan01 | 0
decoder.ethernet | RxPcaprspan01 | 1135692
decoder.raw | RxPcaprspan01 | 0
decoder.sll | RxPcaprspan01 | 0
decoder.tcp | RxPcaprspan01 | 0
decoder.udp | RxPcaprspan01 | 0
decoder.sctp | RxPcaprspan01 | 0
decoder.icmpv4 | RxPcaprspan01 | 0
decoder.icmpv6 | RxPcaprspan01 | 0
decoder.ppp | RxPcaprspan01 | 0
decoder.pppoe | RxPcaprspan01 | 0
decoder.gre | RxPcaprspan01 | 1134774
decoder.vlan | RxPcaprspan01 | 0
decoder.vlan_qinq | RxPcaprspan01 | 0
decoder.teredo | RxPcaprspan01 | 0
decoder.ipv4_in_ipv6 | RxPcaprspan01 | 0
decoder.ipv6_in_ipv6 | RxPcaprspan01 | 0
decoder.mpls | RxPcaprspan01 | 0
decoder.avg_pkt_size | RxPcaprspan01 | 424
decoder.max_pkt_size | RxPcaprspan01 | 1504
defrag.ipv4.fragments | RxPcaprspan01 | 0
defrag.ipv4.reassembled | RxPcaprspan01 | 0
defrag.ipv4.timeouts | RxPcaprspan01 | 0
defrag.ipv6.fragments | RxPcaprspan01 | 0
defrag.ipv6.reassembled | RxPcaprspan01 | 0
defrag.ipv6.timeouts | RxPcaprspan01 | 0
defrag.max_frag_hits | RxPcaprspan01 | 0
tcp.sessions | Detect | 0
tcp.ssn_memcap_drop | Detect | 0
tcp.pseudo | Detect | 0
tcp.pseudo_failed | Detect | 0
tcp.invalid_checksum | Detect | 0
tcp.no_flow | Detect | 0
tcp.reused_ssn | Detect | 0
tcp.memuse | Detect | 0
tcp.syn | Detect | 0
tcp.synack | Detect | 0
tcp.rst | Detect | 0
dns.memuse | Detect | 0
dns.memcap_state | Detect | 0
dns.memcap_global | Detect | 0
tcp.segment_memcap_drop | Detect | 0
tcp.stream_depth_reached | Detect | 0
tcp.reassembly_memuse | Detect | 0
tcp.reassembly_gap | Detect | 0
http.memuse | Detect | 0
http.memcap | Detect | 0
detect.alert | Detect | 0
flow_mgr.closed_pruned | FlowManagerThread | 0
flow_mgr.new_pruned | FlowManagerThread | 0
flow_mgr.est_pruned | FlowManagerThread | 0
flow.memuse | FlowManagerThread | 7474304
flow.spare | FlowManagerThread | 10000
flow.emerg_mode_entered | FlowManagerThread | 0
flow.emerg_mode_over | FlowManagerThread | 0
--
Jay
jskier at gmail.com
More information about the Oisf-users
mailing list