detect: Recognize ERSPAN Type I packets #4627
Conversation
| { | ||
| int enabled = 0; | ||
| if (ConfGetBool("decoder.erspan_typeI.enabled", &enabled) == 1) { | ||
| g_erspan_typeI_enabled = enabled == 1; |
There was a problem hiding this comment.
In 5.0.x, ConfGetBool returns an int
| @@ -1338,6 +1338,9 @@ decoder: | |||
| vxlan: | |||
| enabled: true | |||
| ports: $VXLAN_PORTS # syntax: '8472, 4789' | |||
| # ERSPAN Type I | |||
| erspan_typeI: | |||
There was a problem hiding this comment.
wonder if we should make this something like:
erspan:
typeI:
enabled: false
Also, wondering if we need to make sure this carries forward to newer releases. If the config has this explicitly disabled here, it should be respected in 6.0 as well right?
There was a problem hiding this comment.
Good question. The intent of making it configurable is to provide control over (what might be) the additional packet load introduced by the back port.
Only Teredo and VXLAN decoding is configurable in 6.0.
For 6.0, I'd recommend that we detect the configuration setting and either
- Exit with an error message ("Deprecated setting" or similar)
- Issue a warning and continue execution ("Warning: ERSPAN Type I is no longer configurable")
There was a problem hiding this comment.
Issue 3515 created to track.
There was a problem hiding this comment.
- Issue a warning and continue execution ("Warning: ERSPAN Type I is no longer configurable")
I think I'd prefer this approach.
|
Continued in #4635 |
[Backport of #4475]
This PR adds support for ERSPAN Type I packets to 5.0.x
This document and wireshark were used as a reference for this work.
Link to redmine ticket:3481
Describe changes:
Suricata-verify PR #195