[Oisf-users] No alerts firing on interface recieving erspan; esx migration continued

Jay M. jskier at gmail.com
Sat Dec 20 18:44:40 UTC 2014


Sent some packet details off-list.

I also tested offline pcap with gulp output, works as expected.
--
Jay
jskier at gmail.com


On Sat, Dec 20, 2014 at 9:45 AM, Victor Julien <lists at inliniac.net> wrote:
> On 12/20/2014 04:16 PM, Jay M. wrote:
>> I've got suricata running and churning away on an interface recieving
>> erspan from a Cisco 7k (so GRE header in front on all packets). It
>> appears to be flowing however no alerts are firing (using ET Pro). I
>> verified that the traffic flow matches my other rspan to the extent of
>> using gulp to strip off the GRE headers and piping into tcpdump on the
>> VM. There are alerts firing on the other rspan box, which should also
>> fire on the new esx suricata VM. suricata log indicates no errors with
>> the errors (I also have some local ones).
>>
>> I don't see dns or tcp sessions though, which is odd. I'm running the
>> 2.1beta2 version.
>>
>> Is there something I need to do to configure the gre decorder? it
>> appears to be decoding properly based on the stats.log (alert debug
>> log is empty):
>
> No, it should work automatically. Most likely cause is that our decoder
> doesn't support decoding the tunnel fully.
>
> Could you check it in wireshark to see what the protocol is GRE
> encapsulates? Feel free to send a pcap off-list if you want.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/



More information about the Oisf-users mailing list