-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
detect: Recognize ERSPAN Type I packets #4627
Conversation
{ | ||
int enabled = 0; | ||
if (ConfGetBool("decoder.erspan_typeI.enabled", &enabled) == 1) { | ||
g_erspan_typeI_enabled = enabled == 1; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
true
instead of 1
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In 5.0.x, ConfGetBool
returns an int
@@ -1338,6 +1338,9 @@ decoder: | |||
vxlan: | |||
enabled: true | |||
ports: $VXLAN_PORTS # syntax: '8472, 4789' | |||
# ERSPAN Type I | |||
erspan_typeI: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
wonder if we should make this something like:
erspan:
typeI:
enabled: false
Also, wondering if we need to make sure this carries forward to newer releases. If the config has this explicitly disabled here, it should be respected in 6.0 as well right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good question. The intent of making it configurable is to provide control over (what might be) the additional packet load introduced by the back port.
Only Teredo and VXLAN decoding is configurable in 6.0.
For 6.0, I'd recommend that we detect the configuration setting and either
- Exit with an error message ("Deprecated setting" or similar)
- Issue a warning and continue execution ("Warning: ERSPAN Type I is no longer configurable")
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Issue 3515 created to track.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- Issue a warning and continue execution ("Warning: ERSPAN Type I is no longer configurable")
I think I'd prefer this approach.
Continued in #4635 |
[Backport of #4475]
This PR adds support for ERSPAN Type I packets to 5.0.x
This document and wireshark were used as a reference for this work.
Link to redmine ticket:3481
Describe changes:
Suricata-verify PR #195