[Bro] Protosig question, round 2
Zeolla@GMail.com
zeolla at gmail.com
Fri Nov 4 15:32:05 PDT 2016
But that just matches on it, which I think was the original tickets intent
but I missed that. I'm interested in processing the inner packet/frame - I
thought your initial comments were just your first step towards decap. I'm
looking to decap and process the inner frame. Regardless, sorry, don't
mean to hijack.
Jon
On Fri, Nov 4, 2016, 18:09 James Lay <jlay at slave-tothe-box.net> wrote:
> Yea this works:
>
> signature protosig_vxlan {
> ip-proto == udp
> dst-port == 4789
> payload /\x08\x00/
> eval ProtoSig::match
> }
>
> Adjust the payload "\x08" for vlanid. From
> https://surf.cloudshark.org/captures/b6495a4ea5d5.
>
> James
>
> On 2016-11-04 15:38, Zeolla at GMail.com wrote:
> > Right, I spoke to arista directly about that too. On the bro side I
> > asked via my broala support contract.
> >
> > Jon
> >
> > On Fri, Nov 4, 2016, 17:19 Azoff, Justin S <jazoff at illinois.edu>
> > wrote:
> >
> >>> On Nov 4, 2016, at 4:59 PM, Zeolla at GMail.com <zeolla at gmail.com>
> >> wrote:
> >>>
> >>> I have the same interests but for vxlan encapsulated traffic.
> >> Last I heard, no luck doing this with bro. Have to decap upstream.
> >>
> >> I don't recall anyone ever asking about vxlan before. I think it's
> >> a pretty trivial protocol to decode - look for udp 4789, skip 8
> >> bytes, see if you have what looks like an ethernet frame.
> >>
> >> The main issue with that and things like fabric path is the
> >> encapsulation into a limited number of outer l3 headers can cause
> >> flow hashing to be useless making it hard to load balance the
> >> traffic.
> >>
> >> --
> >> - Justin Azoff
> >
> > --
> >
> > Jon
> >
> > Sent from my mobile device
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
--
Jon
Sent from my mobile device
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161104/a5d540eb/attachment.html
More information about the Bro
mailing list