[Oisf-users] MPLS support

[Jason Ish]

On Mon, Oct 10, 2016 at 8:21 AM, Michał D <michu162 at gmail.com> wrote:
> Hello,
>
> In suricata 3.1.1 how to enable/configure mpls support?
> I use pcap mode just for logging http requests. For interfaces where I
> receive copy of IP traffic it works well, but for other one where I have
> MPLS traffic (single or double tag) I don't have any entries in http.log
>
> run with:
> /usr/bin/suricata -c /etc/suricata/suricata.yaml --disable-detection
> --pidfile /var/run/suricata.pid --pcap=eth6 -D -vvv
>
>>>> iface-stat eth6
> Success:
> {
>     "drop": 88596,
>     "invalid-checksums": 0,
>     "pkts": 23139042
> }
>
> # tcpdump -i eth6 -nn -c 1
> 16:09:52.788799 MPLS (label 299920, exp 0, ttl 254) (label 16, exp 0, [S],
> ttl 254) IP xxx.xxx.xxx.xxx.60842 > xxx.xxx.xxx.xxx.80: Flags [.], ack
> 1736707743, win 65535, length 0
>
> # service suricata start
> Starting suricata in IDS (pcap) mode... done.
> root at s50873:/var/log/suricata# tail: suricata.log: file truncated
> 10/10/2016 -- 16:19:34 - <Notice> - This is Suricata version 3.1.1 RELEASE
> 10/10/2016 -- 16:19:34 - <Info> - CPUs/cores online: 12
> 10/10/2016 -- 16:19:34 - <Info> - Protocol detection and parser disabled for
> tls protocol
> 10/10/2016 -- 16:19:34 - <Info> - Protocol detection and parser disabled for
> smb protocol.
> 10/10/2016 -- 16:19:34 - <Info> - Protocol detection and parser disabled for
> dcerpc protocol.
> 10/10/2016 -- 16:19:34 - <Info> - Protocol detection and parser disabled for
> dcerpc protocol.
> 10/10/2016 -- 16:19:34 - <Info> - Parsed disabled for ftp protocol. Protocol
> detectionstill on.
> 10/10/2016 -- 16:19:34 - <Info> - Protocol detection and parser disabled for
> smtp protocol.
> 10/10/2016 -- 16:19:34 - <Info> - Found an MTU of 1500 for 'eth6'
> 10/10/2016 -- 16:19:34 - <Info> - eve-log output device (regular)
> initialized: http.json
> 10/10/2016 -- 16:19:34 - <Notice> - JsonTlsLog logger not enabled: protocol
> tls is disabled
> 10/10/2016 -- 16:19:34 - <Info> - eve-log output device (regular)
> initialized: dns.json
> 10/10/2016 -- 16:19:34 - <Info> - stats output device (regular) initialized:
> stats.log
> 10/10/2016 -- 16:19:34 - <Info> - Going to use 3 thread(s)
> 10/10/2016 -- 16:19:34 - <Info> - using interface eth6
> 10/10/2016 -- 16:19:34 - <Info> - Found an MTU of 1500 for 'eth6'
> 10/10/2016 -- 16:19:34 - <Info> - Set snaplen to 1524 for 'eth6'
> 10/10/2016 -- 16:19:34 - <Info> - using interface eth6
> 10/10/2016 -- 16:19:34 - <Info> - Found an MTU of 1500 for 'eth6'
> 10/10/2016 -- 16:19:34 - <Info> - Set snaplen to 1524 for 'eth6'
> 10/10/2016 -- 16:19:34 - <Info> - using interface eth6
> 10/10/2016 -- 16:19:34 - <Info> - Found an MTU of 1500 for 'eth6'
> 10/10/2016 -- 16:19:34 - <Info> - Set snaplen to 1524 for 'eth6'
> 10/10/2016 -- 16:19:34 - <Info> - RunModeIdsPcapWorkers initialised
> 10/10/2016 -- 16:19:34 - <Notice> - all 3 packet processing threads, 4
> management threads initialized, engine started.
>
> # service suricata stop
> Stopping suricata: 10/10/2016 -- 16:19:09 - <Notice> - Signal Received.
> Stopping engine.
> Waiting . . . . 10/10/2016 -- 16:19:18 - <Info> - time elapsed 225.428s
> . . 10/10/2016 -- 16:19:22 - <Info> - (W#01-eth6) Packets 29693283, bytes
> 7721919854
> 10/10/2016 -- 16:19:22 - <Info> - (W#01-eth6) Pcap Total:31829666
> Recv:29698732 Drop:2130934 (6.7%).
> 10/10/2016 -- 16:19:22 - <Info> - (W#02-eth6) Packets 29347449, bytes
> 7639472868
> 10/10/2016 -- 16:19:22 - <Info> - (W#02-eth6) Pcap Total:31844856
> Recv:29352937 Drop:2491919 (7.8%).
> 10/10/2016 -- 16:19:22 - <Info> - (W#03-eth6) Packets 28579990, bytes
> 7440600831
> 10/10/2016 -- 16:19:22 - <Info> - (W#03-eth6) Pcap Total:31837384
> Recv:28585444 Drop:3251940 (10.2%).
> 10/10/2016 -- 16:19:23 - <Notice> - Stats for 'eth6':  pkts: 87620722, drop:
> 1367385 (1.56%), invalid chksum: 0

Are you getting any of the MPLS decoder alerts?  There are 4 MPLS
rules included in decoder-events.rules.

Any chance you can provide a small pcap of your MPLS traffic? Ideally
with something like an HTTP request in it? You can provide this
privately.

Thanks,
Jason