Possible detection issue with VXLAN parser
It seems there is an issue, which I haven't been able to drill down, with the VXLAN parser which is causing failures on detection.
How to reproduce and use the attached PCAP:
- Filtering for http shows, on IP 10.0.0.131 (same host as Suricata) successful detection of 2013414 (ET POLICY Executable served from Amazon S3) and 2018959 (ET POLICY PE EXE or DLL Windows file download HTTP)
- Still filtered on http , for both IP 10.0.0.205 and 10.0.0.144 , no detection happens for the (apparently) same traffic
- In the last test (which simulates id check returned root) , both 10.0.0.205 and 10.0.0.144 successfully detect /uid/index.html which triggers 2100498 (GPL ATTACK_RESPONSE id check returned root)
Any additional information I can provide, please let me know.