Suricata version 6.0.9
RHEL 7.9
Packages
I have a Fortinet Switch sending me GRE V1 encapsulated ERSpan.
Suricata does not seem to be de-encapsulating/processing the GRE.
It has been suggested that Fortinet may be doing a proprietary encapsulation, but a tcpdump appears to show it is generic GRE V1 encapsulation.
Does anyone have any insight?
Any chance a PCAP can be provided?
Sure, Jason, thanks!
[deleted]
Running manually, with mid-stream pickup enabled, Suricata 6.0.9 is able to pick-out the SMB traffic from this PCAP, my command line being:
suricata -r ~/Downloads/gre9.pcap -l . -S /dev/null --set stream.midstream=true
I should note that Suricata 6.0 is no longer supported, so there could be other issues impacting your deployment. I’d suggest upgrading to the latest 7.0.6 release and re-testing.
If using RPMs, we do have a repo with newer versions of Suricata for RHEL 7: @oisf/suricata-7.0 Copr
But with RHEL 7, or at least CentOS 7 now being end of life, 7.0.6 is probably the last release that will land for RHEL 7.