[Oisf-users] No alerts firing on interface recieving erspan; esx migration continued

[Victor Julien]

On 12/20/2014 04:16 PM, Jay M. wrote:
> I've got suricata running and churning away on an interface recieving
> erspan from a Cisco 7k (so GRE header in front on all packets). It
> appears to be flowing however no alerts are firing (using ET Pro). I
> verified that the traffic flow matches my other rspan to the extent of
> using gulp to strip off the GRE headers and piping into tcpdump on the
> VM. There are alerts firing on the other rspan box, which should also
> fire on the new esx suricata VM. suricata log indicates no errors with
> the errors (I also have some local ones).
> 
> I don't see dns or tcp sessions though, which is odd. I'm running the
> 2.1beta2 version.
> 
> Is there something I need to do to configure the gre decorder? it
> appears to be decoding properly based on the stats.log (alert debug
> log is empty):

No, it should work automatically. Most likely cause is that our decoder
doesn't support decoding the tunnel fully.

Could you check it in wireshark to see what the protocol is GRE
encapsulates? Feel free to send a pcap off-list if you want.

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------