Project

General

Profile

Support #3131

Protocol identifiers

Added by Max Mustermann about 2 months ago. Updated 20 days ago.

Status:
Feedback
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
low
Label:

Description

I see some activitiy on my network that is no IP data. At least the IP protocol identifier is not issuing for alerts. In the stats logs I can see that the decoder.invalid entry is filling. So my question is: Can I use another protocol identfifier that enables layer2 alerts? The identifiers I know of are those I got from the User Guide (https://suricata.readthedocs.io/en/suricata-4.1.4/rules/intro.html#protocol) and they are not working for this very issue.

Glad to get some hints :)

Thanks!

History

#1

Updated by Andreas Herz about 2 months ago

  • Status changed from New to Feedback
  • Assignee set to Community Ticket
  • Target version set to Support

What type of traffic is it exactly?

#2

Updated by Max Mustermann about 1 month ago

I am not sure. It looks like raw ethernet with a handcrafted protocol atlayer 3. This may be ok but I do not know how to trigger alerts for layer2? Is this planned or even possible somehow?

Thanks!

#3

Updated by Max Mustermann about 1 month ago

Still glad if I can get some help on this matter.

#4

Updated by Andreas Herz about 1 month ago

Can you try to extract a pcap of that?
Without exact details it's rather hard to tell

#5

Updated by Max Mustermann about 1 month ago

Sorry, unfortunately I cannot. But the lowest level (on the network protocol stack) for alerts is with the 'ip' protocol identifier, right? There is no such thing as, 'ethernet' or 'wlan' or 'mac' or comparables which I can alert for, right?

#6

Updated by Andreas Herz 26 days ago

Nope, those aren't available.

#7

Updated by Max Mustermann 23 days ago

Ok, thanks for the information. The ticket can be closed.

#8

Updated by Andreas Herz 23 days ago

We could convert that to a feature request, any thoughts @Victor?

#9

Updated by Victor Julien 20 days ago

I'm still unclear on what the request is.

Max did you enable all the rules from rules/decoder-events.rules? These should tell you why Suricata thinks packets are invalid.

Also available in: Atom PDF