[Bro] Bro decapsulating ERSPAN (GRE)

Matt Thoreson matt.thoreson at summitinfosec.com
Thu Nov 1 07:45:47 PDT 2018

For what it's worth I tried to stripping 50 bytes off the header in the
init-bar.bro file in the encap_hdr_size=50 line.  That seems to be the
magic number with this unusual erspan gre header size.  After doing that,
bro is recognizing and splitting all the logs out properly.

On Wed, Oct 31, 2018 at 2:32 PM Jon Siwek <jsiwek at corelight.com> wrote:

> On Wed, Oct 31, 2018 at 1:07 PM Jon Siwek <jsiwek at corelight.com> wrote:
> >
> > On Wed, Oct 31, 2018 at 12:40 PM Matt Thoreson
> > <matt.thoreson at summitinfosec.com> wrote:
> >
> > > I thought Bro could by default recognize and decapsulate the real
> traffic from the GRE tunnel (according to the bro notes it should be able
> to do this) but so far when bro runs it just sees the gre traffic in it's
> weird.log.
> >
> > It currently only handles a few GRE protocol types, and doesn't seem
> > the ERSPAN ones are among them.
> To clarify that further: I totally missed that the changelog does say
> ERSPAN support was implemented, but I was just looking at the actual
> code, which does not seem to handle ERSPAN Type II or III (protocol
> types 0x88BE, 0x22EB).  The associated commit seems to instead handle
> Transparent Ethernet Bridging (protocol type 0x6558).  Not sure if I'm
> missing something.  Or if you can give a pcap to test against, that
> could help to verify what's going and also serve as test case for
> fixing anything that's broken/unimplemented in Bro.
> - Jon


Matt Thoreson, CISSP, OSCP
*Security Engineer | Summit Security Group, LLC*
m: 360.787.8998
w: http://summitinfosec.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181101/8aa10115/attachment.html 

More information about the Bro mailing list