Next: 1.9 Miscellaneous Up: 1. Snort Overview Previous: 1.7 Basic Output Contents
Snort supports decoding of many tunneling protocols, including GRE, PPTP over GRE, MPLS, IP in IP, and ERSPAN, all of which are enabled by default.
To disable support for any GRE related encapsulation, PPTP over GRE, IPv4/IPv6 over GRE, and ERSPAN, an extra configuration option is necessary:
$ ./configure --disable-gre
To disable support for MPLS, an separate extra configuration option is necessary:
$ ./configure --disable-mpls
Snort will not decode more than one encapsulation. Scenarios such as
Eth IPv4 GRE IPv4 GRE IPv4 TCP Payload
or
Eth IPv4 IPv6 IPv4 TCP Payload
will not be handled and will generate a decoder alert.
Currently, only the encapsulated part of the packet is logged, e.g.
Eth IP1 GRE IP2 TCP Payload
gets logged as
Eth IP2 TCP Payload
and
Eth IP1 IP2 TCP Payload
gets logged as
Eth IP2 TCP Payload
|
Note:
Decoding of PPTP, which utilizes GRE and PPP, is not currently supported on architectures that require word alignment such as SPARC.
|