[Oisf-users] MPLS Support

Matt Carothers matt at somedamn.com
Fri Jul 18 21:08:24 UTC 2014


Cool!  Does it handle multiple encapsulated frames now?  E.g. like this 
packet, which has two of them after the MPLS stack:



That's where I got stuck.

Matt

On 7/18/2014 12:01 PM, Jason Ish wrote:
> Adnan,
>
> Great to hear.  I've updated MPLS support to handle encapsulated
> ethernet as well, if you are using that. For testing purposes, I'd
> rebase the patch against 2.0.2 if you are interested.  Just let me
> know.
>
> Jason
>
> On Wed, Jul 16, 2014 at 11:29 AM, Adnan Baykal <abaykal at gmail.com> wrote:
>> Jason,
>>
>> this is working fine. it is generating alerts and is analyzing the
>> http streams. I also verified that http.log is seeing ton of entries.
>>
>> Thank you very much for you assistance.
>>
>> On Tue, Jul 15, 2014 at 5:18 PM, Matt Carothers <matt at somedamn.com> wrote:
>>> You may (or may not) find this helpful as a starting point.  It's a patch to
>>> strip MPLS headers from packets, so Suricata will at least function in an
>>> MPLS environment.
>>>
>>> Caveat: it doesn't work correctly on MPLS VPNs where multiple ethernet
>>> frames are encapsulated into a single MPLS-tagged frame.
>>>
>>> Matt
>>>
>>>
>>> On 7/15/2014 12:23 PM, Jason Ish wrote:
>>>> Hi Adnan,
>>>>
>>>> I can take a look at decoding MPLS traffic.  Will update update you
>>>> when I have something usable.
>>>>
>>>> Jason
>>>>
>>>> On Mon, Jul 14, 2014 at 1:48 PM, Adnan Baykal <abaykal at gmail.com> wrote:
>>>>> are there any plans in the future to support MPLS in suricata? latest
>>>>> discussions I can find are from 2011 and did not see anything since
>>>>> then on the net.
>>>>>
>>>>> Thanks
>>>>> _______________________________________________
>>>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>>> OISF: http://www.openinfosecfoundation.org/
>>>> _______________________________________________
>>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>> OISF: http://www.openinfosecfoundation.org/
>>>>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140718/a7ac1260/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: MPLS.png
Type: image/png
Size: 136414 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140718/a7ac1260/attachment-0002.png>


More information about the Oisf-users mailing list