Project

General

Profile

Actions

Feature #3422

closed

GRE ERSPAN Type 1 Support

Added by Golan Sharon almost 5 years ago. Updated almost 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
medium
Label:
Protocol

Description

Hello Team

Our client uses Cumulus based switch with ERSPAN configured.
It seems that Cumulus transfer the traffic as encapsulated ERSPAN Type 1 while Suricata support only ERSPAN Type 2.

We found the following:
Suricata decodes only ERSPAN Type 2
https://github.com/OISF/suricata/blob/master/src/decode-erspan.c

<line 60> /* only v1 is tested at this time */
<line 61> if (version != 1)

After removing the condition and allowing Suricata to try and decode different types (tested Type 1), no content was identify due to different header size (32bit for type 1 instead of 64 bit for type 2)
We were able to compile and test a version that supports type 1 instead of type 2.
Since many vendors that are not Cisco may use ERSPAN Type 1, we believe that it is important to have support for both ERSPAN Types in the stable version.

Can you please assist with the issue?

Thank you

Golan


Files

record3.pcap (6.42 KB) record3.pcap Golan Sharon, 12/18/2019 12:51 PM

Related issues 1 (0 open1 closed)

Copied to Suricata - Feature #3481: GRE ERSPAN Type 1 SupportClosedJeff LucovskyActions
Actions #1

Updated by Andreas Herz almost 5 years ago

  • Tracker changed from Bug to Feature
  • Subject changed from GRE to GRE ERSPAN Type 1 Support
  • Priority changed from High to Normal
  • Target version changed from 4.1.7 to TBD
Actions #2

Updated by Jeff Lucovsky almost 5 years ago

  • Assignee set to Jeff Lucovsky
Actions #3

Updated by Jeff Lucovsky almost 5 years ago

  • Status changed from New to Assigned
Actions #4

Updated by Victor Julien almost 5 years ago

  • Target version changed from TBD to 6.0.0beta1
  • Label Protocol added
Actions #5

Updated by Jeff Lucovsky almost 5 years ago

Actions #6

Updated by Jeff Lucovsky almost 5 years ago

  • Status changed from Assigned to Closed
Actions

Also available in: Atom PDF