Feature #1342
closed
Support Cisco erspan traffic
Added by Jay MJ almost 10 years ago.
Updated over 9 years ago.
Description
Please add support for decoding Cisco erspan traffic, common on some Cisco 5k and 7k devices which do not support rspan or other common forms of port mirroring.
I have provided Victor sample data to provide insight into the unique headers Cisco uses.
Additionally, I have conducted testing with the latest version of snort and have confirmed erspan is working, in addition to the note on their blog: http://blog.snort.org/2013/07/snort-295-is-now-available.html.
I am available to provide testing if needed.
- Status changed from New to Assigned
- Target version changed from TBD to 2.1beta4
- Target version changed from 2.1beta4 to 3.0RC1
Compiled and did a quick test run. No erspan errors and eve log looks promising. I'll do some comparative analysis between logs with the non-erspan and report back this week. Much appreciation for your work on this.
Running for several hours with the same rule set and configuration as other mirror. Alert data is matching up, will check http and other event types.
- Status changed from Assigned to Closed
- Priority changed from High to Normal
- % Done changed from 0 to 100
Also available in: Atom
PDF