Feature #3482
closedGRE ERSPAN Type 1 Support
Description
[backport issue for 4.1.x] Hello Team
Our client uses Cumulus based switch with ERSPAN configured.
It seems that Cumulus transfer the traffic as encapsulated ERSPAN Type 1 while Suricata support only ERSPAN Type 2.
We found the following:
Suricata decodes only ERSPAN Type 2
https://github.com/OISF/suricata/blob/master/src/decode-erspan.c
<line 60> /* only v1 is tested at this time */
<line 61> if (version != 1)
After removing the condition and allowing Suricata to try and decode different types (tested Type 1), no content was identify due to different header size (32bit for type 1 instead of 64 bit for type 2)
We were able to compile and test a version that supports type 1 instead of type 2.
Since many vendors that are not Cisco may use ERSPAN Type 1, we believe that it is important to have support for both ERSPAN Types in the stable version.
Can you please assist with the issue?
Thank you
Golan
Files
Updated by Jeff Lucovsky over 4 years ago
- Copied from Feature #3481: GRE ERSPAN Type 1 Support added
Updated by Jeff Lucovsky over 4 years ago
- Assignee changed from Jeff Lucovsky to Shivani Bhardwaj
- Label deleted (
Needs backport)
ERSPAN Type I decoding should be disabled by default.
Updated by Shivani Bhardwaj over 4 years ago
- Status changed from New to Assigned
Updated by Shivani Bhardwaj over 4 years ago
- Priority changed from Normal to Immediate
Updated by Shivani Bhardwaj over 4 years ago
- Status changed from Assigned to In Review
Updated by Shivani Bhardwaj over 4 years ago
- Status changed from In Review to Closed