[Oisf-users] MPLS Support
Matt Carothers
matt at somedamn.com
Tue Jul 15 21:18:03 UTC 2014
You may (or may not) find this helpful as a starting point. It's a
patch to strip MPLS headers from packets, so Suricata will at least
function in an MPLS environment.
Caveat: it doesn't work correctly on MPLS VPNs where multiple ethernet
frames are encapsulated into a single MPLS-tagged frame.
Matt
On 7/15/2014 12:23 PM, Jason Ish wrote:
> Hi Adnan,
>
> I can take a look at decoding MPLS traffic. Will update update you
> when I have something usable.
>
> Jason
>
> On Mon, Jul 14, 2014 at 1:48 PM, Adnan Baykal <abaykal at gmail.com> wrote:
>> are there any plans in the future to support MPLS in suricata? latest
>> discussions I can find are from 2011 and did not see anything since
>> then on the net.
>>
>> Thanks
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> OISF: http://www.openinfosecfoundation.org/
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
-------------- next part --------------
diff -up old/decode-ethernet.c new/decode-ethernet.c
--- old/decode-ethernet.c 2014-07-15 17:10:07.947388063 -0400
+++ new/decode-ethernet.c 2014-07-15 17:10:19.163388551 -0400
@@ -53,6 +53,8 @@ int DecodeEthernet(ThreadVars *tv, Decod
return TM_ECODE_FAILED;
SCLogDebug("p %p pkt %p ether type %04x", p, pkt, ntohs(p->ethh->eth_type));
+ uint8_t *mpls_ptr;
+ uint8_t mpls_offset_len;
switch (ntohs(p->ethh->eth_type)) {
case ETHERNET_TYPE_IP:
@@ -60,6 +62,21 @@ int DecodeEthernet(ThreadVars *tv, Decod
DecodeIPV4(tv, dtv, p, pkt + ETHERNET_HEADER_LEN,
len - ETHERNET_HEADER_LEN, pq);
break;
+ case ETHERNET_TYPE_MPLS_UNICAST:
+ case ETHERNET_TYPE_MPLS_MULTICAST:
+ mpls_ptr = pkt + ETHERNET_HEADER_LEN;
+ // Offset will be 4 bytes per label in the stack
+ mpls_offset_len = 4;
+ // Byte 3 of the MPLS label will end in 1 if the label is the bottom
+ // of the stack
+ while (mpls_ptr <= pkt + len - 4 && *(mpls_ptr + 3) & 1 != 1)
+ {
+ mpls_offset_len += 4;
+ mpls_ptr += 4;
+ }
+ DecodeIPV4(tv, dtv, p, pkt + ETHERNET_HEADER_LEN + mpls_offset_len,
+ len - ETHERNET_HEADER_LEN - mpls_offset_len, pq);
+ break;
case ETHERNET_TYPE_IPV6:
//printf("DecodeEthernet ip6\n");
DecodeIPV6(tv, dtv, p, pkt + ETHERNET_HEADER_LEN,
diff -up old/decode-ethernet.h new/decode-ethernet.h
--- old/decode-ethernet.h 2014-07-15 17:10:07.947388063 -0400
+++ new/decode-ethernet.h 2014-07-15 17:10:19.163388551 -0400
@@ -31,6 +31,8 @@
#define ETHERNET_TYPE_IP 0x0800
#define ETHERNET_TYPE_ARP 0x0806
#define ETHERNET_TYPE_REVARP 0x8035
+#define ETHERNET_TYPE_MPLS_UNICAST 0x8847
+#define ETHERNET_TYPE_MPLS_MULTICAST 0x8848
#define ETHERNET_TYPE_EAPOL 0x888e
#define ETHERNET_TYPE_IPV6 0x86dd
#define ETHERNET_TYPE_IPX 0x8137
More information about the Oisf-users
mailing list