I see some activitiy on my network that is no IP data. At least the IP protocol identifier is not issuing for alerts. In the stats logs I can see that the decoder.invalid entry is filling. So my question is: Can I use another protocol identfifier that enables layer2 alerts? The identifiers I know of are those I got from the User Guide (https://suricata.readthedocs.io/en/suricata-4.1.4/rules/intro.html#protocol) and they are not working for this very issue.
Glad to get some hints :)
- Status changed from New to Feedback
- Assignee set to Community Ticket
- Target version set to Support
What type of traffic is it exactly?
I am not sure. It looks like raw ethernet with a handcrafted protocol atlayer 3. This may be ok but I do not know how to trigger alerts for layer2? Is this planned or even possible somehow?
Still glad if I can get some help on this matter.
Can you try to extract a pcap of that?
Without exact details it's rather hard to tell
Sorry, unfortunately I cannot. But the lowest level (on the network protocol stack) for alerts is with the 'ip' protocol identifier, right? There is no such thing as, 'ethernet' or 'wlan' or 'mac' or comparables which I can alert for, right?
Nope, those aren't available.
Ok, thanks for the information. The ticket can be closed.
We could convert that to a feature request, any thoughts @Victor?
I'm still unclear on what the request is.
Max did you enable all the rules from rules/decoder-events.rules? These should tell you why Suricata thinks packets are invalid.
Also available in: Atom