[Bro] Protosig question, round 2
James Lay
jlay at slave-tothe-box.net
Fri Nov 4 15:06:30 PDT 2016
Yea this works:
signature protosig_vxlan {
ip-proto == udp
dst-port == 4789
payload /\x08\x00/
eval ProtoSig::match
}
Adjust the payload "\x08" for vlanid. From
https://surf.cloudshark.org/captures/b6495a4ea5d5.
James
On 2016-11-04 15:38, Zeolla at GMail.com wrote:
> Right, I spoke to arista directly about that too. On the bro side I
> asked via my broala support contract.
>
> Jon
>
> On Fri, Nov 4, 2016, 17:19 Azoff, Justin S <jazoff at illinois.edu>
> wrote:
>
>>> On Nov 4, 2016, at 4:59 PM, Zeolla at GMail.com <zeolla at gmail.com>
>> wrote:
>>>
>>> I have the same interests but for vxlan encapsulated traffic.
>> Last I heard, no luck doing this with bro. Have to decap upstream.
>>
>> I don't recall anyone ever asking about vxlan before. I think it's
>> a pretty trivial protocol to decode - look for udp 4789, skip 8
>> bytes, see if you have what looks like an ethernet frame.
>>
>> The main issue with that and things like fabric path is the
>> encapsulation into a limited number of outer l3 headers can cause
>> flow hashing to be useless making it hard to load balance the
>> traffic.
>>
>> --
>> - Justin Azoff
>
> --
>
> Jon
>
> Sent from my mobile device
More information about the Bro
mailing list