I’m working with a few erspan flows to various sensors. I recently needed to use a bpf filter to exclude traffic (in addition to a few pass rules, which work to bypass rules just fine with erspan).
I noticed that no bpf rules would not apply (include, exlcude, etc). Upon further investigating, if I strip the erspan header off with rcdcap to a virtual interface suricata monitors, the traffic is filtered correctly through bpf and works. Once erspan header is back, it no longer works.
I sense that bpf is applied before erspan decoder which is why pass rules work but bpf does not. Perhaps a ticket should be entered to have this addressed?
I looked at setting up an erspan decoder interface in Linux, however I haven’t had much success (it won’t pick up packets). I’ll keep trying, however, long term, I’d prefer to keep the header since processing of erspan downstream in suricata decodes just fine.
While great, rcpdcap is not an option for most of the environment I’m using.
Details on what environment I tested in:
suricata 5.0.3, 6.03
linux 4.19, linux 5.15.2
type II erspan
Any suggestions or if others have this problem, please post here.
Thank you Jeff, I believe it is type II (will confirm of course), it appears that suricata itself decodes it fine (from Cisco Nexus and Catalyst sources), I believe the bpf magic happens before the decoding in suricata. I will check tomorrow though and get back to you with what I see.
Also, I will do some more exploring with this, testing with latest stable version of suricata in our lab (will also be running 5.15 linux kernel); may be able to pull a pcap for @Andreas_Herz this way too, we’ll see what that gets us.
Do you have a change to look into the traffic with wireshark/termshark to dig into that?
I have seen setups with traffic coming from those devices, so I would argue it should be possible. I had sucess with bpf filters on some specific lower layer protocols.
Another idea would be to check what NIC you use and what settings are set.
I don’t have the system available anymore that had this traffic, so I can’t confirm it 100%
But if you don’t get the ERSPAN traffc if you run tcpdump with proto 0x2f or proto gre it doesn’t seem to work or something else is off.