Snort mailing list archives
Re: Snort OTV Inspection
From: Da Pozzo Matteo <m.dapozzo () reply it>
Date: Tue, 26 Jul 2016 13:03:28 +0000
Hi Albert, Yes of course! Please see attached the pcap file. (note: Wireshark 2.0.4 won’t recognize properly the packets, you might need Wireshark 1.12) [cid:image002.jpg@01D1E74E.DD370190] Thanks, Matteo Matteo Da Pozzo Communication Valley Via Robert Koch, 1/4 20152 - Milano - ITALY phone: +39 02 535761 mobile: +39 345 4954311 m.dapozzo () reply it<mailto:m.dapozzo () reply it> www.reply.it [Communication Valley] From: Al Lewis (allewi) [mailto:allewi () cisco com] Sent: martedì 26 luglio 2016 14:05 To: Da Pozzo Matteo <m.dapozzo () reply it>; snort-devel () lists sourceforge net Cc: Grazzani Marco <m.grazzani () reply it> Subject: Re: [Snort-devel] Snort OTV Inspection Can you provide a pcap of the traffic please? Thanks. Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com<mailto:allewi () cisco com> From: Da Pozzo Matteo <m.dapozzo () reply it<mailto:m.dapozzo () reply it>> Date: Tuesday, July 26, 2016 at 7:36 AM To: "snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>" <snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>> Cc: Grazzani Marco <m.grazzani () reply it<mailto:m.grazzani () reply it>> Subject: [Snort-devel] Snort OTV Inspection Hi Snort Developer community, It’s the first time for me that I try to write on this list so I hope it is the correct way to ask this question. I would like to know if anyone tried to inspect the payload of a OTV encapsulated packet. I tried to analyze a ICMP ECHO and REPLY encapsulated in OTV with SNORT 2.9.8 (Build 335) and it seems to not recognize ICMP in OTV. Anyone have experience on this? Thanks! Below posted the test output: snort --daq-dir /usr/local/sf/lib/daq -r ICMP.ECHO.and.REPLY.over.OTV.pcap.pcapng Running in packet dump mode --== Initializing Snort ==-- Initializing Output Plugins! pcap DAQ configured to read-file. Acquiring network traffic from "ICMP.ECHO.and.REPLY.over.OTV.pcap.pcapng". --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.9.8 GRE (Build 335) '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.1.1 Using PCRE version: 7.4 2007-09-21 Using ZLIB version: 1.2.5 Commencing packet processing (pid=22601) WARNING: No preprocessors configured for policy 0. 08/17-21:27:36.262536 150.1.38.3 -> 150.1.78.7 GRE TTL:254 TOS:0x0 ID:2605 IpLen:20 DgmLen:1500 DF =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ WARNING: No preprocessors configured for policy 0. 08/17-21:27:36.263098 150.1.78.7 -> 150.1.38.3 GRE TTL:253 TOS:0x0 ID:2720 IpLen:20 DgmLen:1500 DF =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =============================================================================== Run time for packet processing was 0.1477 seconds Snort processed 2 packets. Snort ran for 0 days 0 hours 0 minutes 0 seconds Pkts/sec: 2 =============================================================================== Memory usage summary: Total non-mmapped bytes (arena): 786432 Bytes in mapped regions (hblkhd): 21590016 Total allocated space (uordblks): 711648 Total free space (fordblks): 74784 Topmost releasable block (keepcost): 39616 =============================================================================== Packet I/O Totals: Received: 2 Analyzed: 2 (100.000%) Dropped: 0 ( 0.000%) Filtered: 0 ( 0.000%) Outstanding: 0 ( 0.000%) Injected: 0 =============================================================================== Breakdown by protocol (includes rebuilt packets): Eth: 2 (100.000%) VLAN: 0 ( 0.000%) IP4: 2 (100.000%) Frag: 0 ( 0.000%) ICMP: 0 ( 0.000%) UDP: 0 ( 0.000%) TCP: 0 ( 0.000%) IP6: 0 ( 0.000%) IP6 Ext: 0 ( 0.000%) IP6 Opts: 0 ( 0.000%) Frag6: 0 ( 0.000%) ICMP6: 0 ( 0.000%) UDP6: 0 ( 0.000%) TCP6: 0 ( 0.000%) Teredo: 0 ( 0.000%) ICMP-IP: 0 ( 0.000%) IP4/IP4: 0 ( 0.000%) IP4/IP6: 0 ( 0.000%) IP6/IP4: 0 ( 0.000%) IP6/IP6: 0 ( 0.000%) GRE: 2 (100.000%) GRE Eth: 0 ( 0.000%) GRE VLAN: 0 ( 0.000%) GRE IP4: 0 ( 0.000%) GRE IP6: 0 ( 0.000%) GRE IP6 Ext: 0 ( 0.000%) GRE PPTP: 0 ( 0.000%) GRE ARP: 0 ( 0.000%) GRE IPX: 0 ( 0.000%) GRE Loop: 0 ( 0.000%) MPLS: 0 ( 0.000%) ARP: 0 ( 0.000%) IPX: 0 ( 0.000%) Eth Loop: 0 ( 0.000%) Eth Disc: 0 ( 0.000%) IP4 Disc: 0 ( 0.000%) IP6 Disc: 0 ( 0.000%) TCP Disc: 0 ( 0.000%) UDP Disc: 0 ( 0.000%) ICMP Disc: 0 ( 0.000%) All Discard: 0 ( 0.000%) Other: 2 (100.000%) Bad Chk Sum: 0 ( 0.000%) Bad TTL: 0 ( 0.000%) S5 G 1: 0 ( 0.000%) S5 G 2: 0 ( 0.000%) Total: 2 =============================================================================== Snort exiting Thanks, Matteo Matteo Da Pozzo Communication Valley Via Robert Koch, 1/4 20152 - Milano - ITALY phone: +39 02 535761 mobile: +39 345 4954311 m.dapozzo () reply it<mailto:m.dapozzo () reply it> www.reply.it [Communication Valley] ________________________________ -- The information transmitted is intended for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. ________________________________ -- The information transmitted is intended for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer.
Attachment:
OTV-icmpecho&icmpreply.pcap.pcapng
Description: OTV-icmpecho&icmpreply.pcap.pcapng
------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports.http://sdm.link/zohodev2dev
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort OTV Inspection Da Pozzo Matteo (Jul 26)
- Re: Snort OTV Inspection Al Lewis (allewi) (Jul 26)
- Re: Snort OTV Inspection Da Pozzo Matteo (Jul 26)
- Re: Snort OTV Inspection Al Lewis (allewi) (Jul 26)