Snort supports decoding of GRE, IP in IP and PPTP. To enable support, an extra configuration option is necessary:
$ ./configure --enable-gre
To enable IPv6 support, one still needs to use the configuration option:
$ ./configure --enable-ipv6
Snort will not decode more than one encapsulation. Scenarios such as
Eth IPv4 GRE IPv4 GRE IPv4 TCP Payload
or
Eth IPv4 IPv6 IPv4 TCP Payload
will not be handled and will generate a decoder alert.
Currently, only the encapsulated part of the packet is logged, e.g.
Eth IP1 GRE IP2 TCP Payload
gets logged as
Eth IP2 TCP Payload
and
Eth IP1 IP2 TCP Payload
gets logged as
Eth IP2 TCP Payload
|
Note:
Decoding of PPTP, which utilizes GRE and PPP, is not currently supported on architectures that require word alignment such as SPARC.
|