snort-devel February 2014 archive
Main Archive Page > Month Archives  > snort-devel archives
snort-devel: Re: [Snort-devel] Problems with MPLS traffic

Re: [Snort-devel] Problems with MPLS traffic

From: Steven Sturges <steve.sturges_at_nospam>
Date: Sat Feb 01 2014 - 22:00:04 GMT
To: Packet Hack <pckthck@gmail.com>, snort-devel@lists.sourceforge.net

Hi--

Thanks for the report.

BPF is actually handled prior to the packets reaching Snort itself.

When Snort gets the packet -- and as you demonstrate, decode mpls
traffic -- it will apply the IP addresses and ports within
the preprocessor configurations and rules correctly.

Cheers.
-steve

On 1/31/14 2:07 PM, Packet Hack wrote:
> Our network recently began implementing MPLS. As snort is MPLS compatible,
> we weren't expecting any problems. However, our event count declined
> significantly immediately after the change was made.
>
> I did some digging, and it seems that snort may have problems with MPLS
> packets. I did a capture with the PF_RING tcpdump with the following
> filters (I note that tcpdump itself doesn't seem to be able to decode MPLS
> well):
>
> mpls
> not mpls
>
> Running snort with -vX on the mpls capture and the non-mpls capture
> shows that snort can decode each.
>
> % snort -vX -r /tmp/mpls-3.cap
> [...]
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 01/31-13:10:06.582169 50.X.X.X:53246 -> X.X.X.X:80
> TCP TTL:49 TOS:0x0 ID:51174 IpLen:20 DgmLen:410 DF
> ***AP*** Seq: 0x25E8887F Ack: 0x1016E18E Win: 0x202B TcpLen: 32
> TCP Options (3) => NOP NOP TS: 457447060 365150107
> 0x0000: 3C DF 1E 8C C3 00 A4 4C 11 E5 49 C0 88 47 00 A8
> <......L..I..G..
> 0x0010: A1 31 45 00 01 9A C7 E6 40 00 31 06 E4 DA 32 XX
> .1E.....@.1...2P
> 0x0020: XX XX XX XX XX XX CF FE 00 50 25 E8 88 7F 10 16
> ....J....P%.....
> 0x0030: E1 8E 80 18 20 2B 6D 3B 00 00 01 01 08 0A 1B 44 ....
> +m;.......D
> 0x0040: 16 94 15 C3 BF 9B 47 45 54 20 2F 77 70 2D 63 6F ......GET
> /wp-co
> 0x0050: 6E 74 65 6E 74 2F 74 68 65 6D 65 73 2F 75 66 6C
> ntent/themes/ufl
> 0x0060: 2F 6C 69 62 72 61 72 79 2F 6A 73 2F 61 75 74 6F
> /library/js/auto
>
> Stats (edited):
>
> Packet I/O Totals:
> Received: 10000
> Analyzed: 10000 (100.000%)
> Dropped: 0 ( 0.000%)
> Filtered: 0 ( 0.000%)
> Outstanding: 0 ( 0.000%)
> Injected: 0
>
> ===============================================================================
> Breakdown by protocol (includes rebuilt packets):
> Eth: 10000 (100.000%)
> IP4: 10000 (100.000%)
> TCP: 10000 (100.000%)
> [....]
> MPLS: 10000 (100.000%)
>
>
> %snort -vX -r /tmp/not-mpls.cap (works as expected)
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 01/31-11:38:03.216943 X.X.X.X:56010 -> 64.X.X.X:80
> TCP TTL:125 TOS:0x0 ID:1733 IpLen:20 DgmLen:1420 DF
> ***A**** Seq: 0xF5F77CAF Ack: 0xF2B2F688 Win: 0x101 TcpLen: 20
> 0x0000: 00 0E 83 C6 9B 40 A4 4C 11 E5 49 C0 08 00 45 00
> .....@.L..I...E.
> 0x0010: 05 8C 06 C5 40 00 7D 06 2D 25 XX XX XX XX XX XX
> ....@.}.-%...h@8
> 0x0020: XX F0 DA CA 00 50 F5 F7 7C AF F2 B2 F6 88 50 10
> _....P..|.....P.
> 0x0030: 01 01 40 EE 00 00 47 45 54 20 2F 64 61 74 61 2F ..@...GET
> /data/
>
> However, when run like so against the MPLS capture:
>
> % snort -F /tmp/bpf -vX -r /tmp/mpls-3.cap
>
> with a BPF file containing only
>
> port 80
>
> snort finishes without decoding a single packet:
>
> Packet I/O Totals:
> Received: 0
> Analyzed: 0 ( 0.000%)
> Dropped: 0 ( 0.000%)
> Filtered: 0 ( 0.000%)
> Outstanding: 0 ( 0.000%)
> Injected: 0
> [...]
> Eth: 0 ( 0.000%)
> VLAN: 0 ( 0.000%)
> IP4: 0 ( 0.000%)
> Frag: 0 ( 0.000%)
> ICMP: 0 ( 0.000%)
> UDP: 0 ( 0.000%)
> TCP: 0 ( 0.000%)
> [...]
> MPLS: 0 ( 0.000%)
>
> If the same logic used to apply the BPF filter to MPLS rules is used
> to apply port specifications in snort rules, snort will be missing lots
> of packets, especially rules with $HTTP_PORTS . I don't know if
> that's the case, however.
>
> System info:
>
> Production snort host
> ---------------------
> OS : ubuntu 10.04
> snort : 2.9.5.6/PF_RING <http://2.9.5.6/PF_RING> daq 5.6.1
>
> The capture files were also tested here:
>
> Test machine
> ------------
> OS : Red Hat Enterprise Linux Server release 6.5 (Santiago)
> snort : 2.9.6.0/Centos <http://2.9.6.0/Centos> RPM from
> snort.org <http://snort.org>
>
> with the same results.
>
> If there's something we need to do to get this working, please let us know.
>
> Capture files available on request.
>
> -- pckthck

------------------------------------------------------------------------------
WatchGuard Dimension instantly turns raw network data into actionable
security intelligence. It gives you real-time visual feedback on key
security issues and trends. Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
_______________________________________________
Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!