Feature #1342
closedSupport Cisco erspan traffic
Description
Please add support for decoding Cisco erspan traffic, common on some Cisco 5k and 7k devices which do not support rspan or other common forms of port mirroring.
I have provided Victor sample data to provide insight into the unique headers Cisco uses.
Additionally, I have conducted testing with the latest version of snort and have confirmed erspan is working, in addition to the note on their blog: http://blog.snort.org/2013/07/snort-295-is-now-available.html.
I am available to provide testing if needed.
Updated by Victor Julien about 10 years ago
- Status changed from New to Assigned
- Target version changed from TBD to 2.1beta4
Updated by Victor Julien over 9 years ago
- Target version changed from 2.1beta4 to 3.0RC1
Updated by Victor Julien over 9 years ago
Could you test this implementation? https://github.com/inliniac/suricata/pull/1498
Updated by Jay MJ over 9 years ago
Victor Julien wrote:
Could you test this implementation? https://github.com/inliniac/suricata/pull/1498
I should have it in the hopper tonight or tomorrow. Sorry for the delay, not sure why the watch for this issue was off.
Updated by Jay MJ over 9 years ago
Compiled and did a quick test run. No erspan errors and eve log looks promising. I'll do some comparative analysis between logs with the non-erspan and report back this week. Much appreciation for your work on this.
Updated by Jay MJ over 9 years ago
Running for several hours with the same rule set and configuration as other mirror. Alert data is matching up, will check http and other event types.
Updated by Victor Julien over 9 years ago
- Status changed from Assigned to Closed
- Priority changed from High to Normal
- % Done changed from 0 to 100
Thanks for testing!