Support #3131
closedProtocol identifiers
Description
I see some activitiy on my network that is no IP data. At least the IP protocol identifier is not issuing for alerts. In the stats logs I can see that the decoder.invalid entry is filling. So my question is: Can I use another protocol identfifier that enables layer2 alerts? The identifiers I know of are those I got from the User Guide (https://suricata.readthedocs.io/en/suricata-4.1.4/rules/intro.html#protocol) and they are not working for this very issue.
Glad to get some hints :)
Thanks!
Updated by Andreas Herz over 4 years ago
- Status changed from New to Feedback
- Assignee set to Community Ticket
- Target version set to Support
What type of traffic is it exactly?
Updated by Max Mustermann over 4 years ago
I am not sure. It looks like raw ethernet with a handcrafted protocol atlayer 3. This may be ok but I do not know how to trigger alerts for layer2? Is this planned or even possible somehow?
Thanks!
Updated by Max Mustermann over 4 years ago
Still glad if I can get some help on this matter.
Updated by Andreas Herz over 4 years ago
Can you try to extract a pcap of that?
Without exact details it's rather hard to tell
Updated by Max Mustermann over 4 years ago
Sorry, unfortunately I cannot. But the lowest level (on the network protocol stack) for alerts is with the 'ip' protocol identifier, right? There is no such thing as, 'ethernet' or 'wlan' or 'mac' or comparables which I can alert for, right?
Updated by Max Mustermann over 4 years ago
Ok, thanks for the information. The ticket can be closed.
Updated by Andreas Herz over 4 years ago
We could convert that to a feature request, any thoughts @Victor?
Updated by Victor Julien over 4 years ago
I'm still unclear on what the request is.
Max did you enable all the rules from rules/decoder-events.rules? These should tell you why Suricata thinks packets are invalid.
Updated by Andreas Herz over 3 years ago
- Status changed from Feedback to Closed
Hi, we're closing this issue since there have been no further responses.
If you think this bug is still relevant, try to test it again with the
most recent version of suricata and reopen the issue. If you want to
improve the bug report please take a look at
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs