I’m working with a few erspan flows to various sensors. I recently needed to use a bpf filter to exclude traffic (in addition to a few pass rules, which work to bypass rules just fine with erspan).
I noticed that no bpf rules would not apply (include, exlcude, etc). Upon further investigating, if I strip the erspan header off with rcdcap to a virtual interface suricata monitors, the traffic is filtered correctly through bpf and works. Once erspan header is back, it no longer works.
I sense that bpf is applied before erspan decoder which is why pass rules work but bpf does not. Perhaps a ticket should be entered to have this addressed?
I looked at setting up an erspan decoder interface in Linux, however I haven’t had much success (it won’t pick up packets). I’ll keep trying, however, long term, I’d prefer to keep the header since processing of erspan downstream in suricata decodes just fine.
While great, rcpdcap is not an option for most of the environment I’m using.
Details on what environment I tested in:
suricata 5.0.3, 6.03
linux 4.19, linux 5.15.2
af_packet, pfring
type II erspan
Any suggestions or if others have this problem, please post here.
DId you try to create a bpf filter that matches ERSPAN and the traffic within it that you want to exclude? For example this would work for GRE as well like “proto GRE & host 1.2.3.4”.
I will give this a shot and report back. Running tcpdump, I only see GRE and the IP is from Cisco device to target interface IP on the scanner appliance.
It will mirror the traffic, however it remains encapsulated on the erspan interface unfortunately. Running Debian kernel 4.19. I’ll see if I can get the ebpf going at some point and post an update.
Do you see a chance to craft an example pcap to share? Maybe there are some differences in implementations but loading it up in wireshark might help to get an idea how a bpf filter might work
Thank you Jeff, I believe it is type II (will confirm of course), it appears that suricata itself decodes it fine (from Cisco Nexus and Catalyst sources), I believe the bpf magic happens before the decoding in suricata. I will check tomorrow though and get back to you with what I see.
Also, I will do some more exploring with this, testing with latest stable version of suricata in our lab (will also be running 5.15 linux kernel); may be able to pull a pcap for @Andreas_Herz this way too, we’ll see what that gets us.
Do you have a change to look into the traffic with wireshark/termshark to dig into that?
I have seen setups with traffic coming from those devices, so I would argue it should be possible. I had sucess with bpf filters on some specific lower layer protocols.
Another idea would be to check what NIC you use and what settings are set.
I did some more poking today in my test lab, it’s not ignoring the traffic to a test DNS server (by IP in BPF). This is in suricata 6.0.4, and 5.15.11 kernel.
So, to confirm @Andreas_Herz, you are able to get bpf (not eBPF) filters to work with erspan traffic, correct?
I don’t have the system available anymore that had this traffic, so I can’t confirm it 100%
But if you don’t get the ERSPAN traffc if you run tcpdump with proto 0x2f or proto gre it doesn’t seem to work or something else is off.
