I see in the src that there is a mention of processing ERSPAN type II traffic:
I can’t find how to invoke this or implement it…does anyone know how to use this?
Edit: I think my question might be too vague (sorry!). Does anyone know how to get Suricata to process ERSPAN traffic?
Encapsulated remote SPAN (ERSPAN) is a tunneling protocol – https://community.cisco.com/t5/networking-documents/understanding-span-rspan-and-erspan/ta-p/3144951.
Does it apply to your deployment?
Yes that applies, that is what we are using to send traffic to Suricata (ERSPAN type II). I updated the OP with a clarified question. I am very familiar with ERSPAN/GRE tunneling, just can’t get Suricata to process it.
What version of Suricata are you using?
With 5.0.3 and later, ERSPAN Type II traffic is processed. The statistic decoder.erspan reflects how many ERSPAN packets are seen.
ERSPAN Type I traffic must be configured with decoder.erspan.typeI.enabled (default: off)
ERSPAN’s ethertype value is 0x88BE. We use this to determine if it’s Type I or Type II:
GRE Header bits
Type I: 0|0|0|0|0|00000|000000000|00000
Type II: 0|0|0|1|0|00000|000000000|00000
Thanks Jeff!
We are on 5.0.3.
I had to enable type I and this got the processing working! I don’t see decorder.erspan in stats.log though, is this located somewhere else?
It’s in stats.log, e.g.,
$ grep decoder.erspan stats.log
decoder.erspan | Total | 84
$
its value must be > 0 to be included.
That was it, thanks again! This solves many issues for me!