Project

General

Profile

Actions

Bug #3258

open

VXLAN exceeds MTU maximum

Added by xu hui about 5 years ago. Updated 6 months ago.

Status:
Feedback
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

My Suricata is deployed on AWS because the VXLAN protocol is used to encapsulate and send traffic mirrors, which causes the MTU to exceed the maximum.When a packet with an MTU exceeding the maximum value appears in the TCP stream, Suricata cannot perform protocol parsing on subsequent normal packets.On the other hand, WireShark can parse the contents of subsequent normal length packets.This is important to me because I can't modify the MTU in a production environment, but I need to parse the contents of subsequent normal packets.

This is a sample PCAP
First, I visited the normal page (HTTP) three times;
Then, a large page (HTTP) is accessed, triggering the VXLAN MTU to exceed its maximum value.
Finally, the normal page (HTTP) was accessed 10 times.

Suricata can only parse 4 HTTP events;
Wireshark can parse 13 HTTP events;


Files

mtu_9001_vxlan.tgz (239 KB) mtu_9001_vxlan.tgz Sample PCAP xu hui, 10/17/2019 02:34 PM
mtu_9001_vxlan.tgz (239 KB) mtu_9001_vxlan.tgz xu hui, 10/18/2019 04:12 AM
vxlan-eve.tar.gz (2.33 KB) vxlan-eve.tar.gz Peter Manev, 10/18/2019 08:41 AM

Related issues 1 (1 open0 closed)

Related to Suricata - Bug #3348: Possible detection issue with VXLAN parserFeedbackTiago F.Actions
Actions

Also available in: Atom PDF