Feature #5956
open
Report traffic with missing VLAN tag
Added by Joerg Manasse about 1 year ago.
Updated about 1 year ago.
Description
Sometimes outgoing packets have a VLAN tag, but the corresponding incoming packets do not.
There is a corresponding config parameter so that Suricata can deal with this.
However, it would be helpful to recognise such traffic (actively) in order to be able to react.
Report traffic with missing VLAN tag in the out or incoming packets of the same data stream.
Solution: Message in the log file or when called up directly with a corresponding (new) parameter.
What would the logic be? Some ratio of non-vlan vs vlan leads to the warning? The stats logging should make it easy to do this already btw, something like a decoder.ethernet vs decoder.vlan check.
Victor Julien wrote in #note-1:
What would the logic be? Some ratio of non-vlan vs vlan leads to the warning? The stats logging should make it easy to do this already btw, something like a decoder.ethernet vs decoder.vlan check.
Another idea would be a decoder-events.rule that could detect it, like "Missing VLAN tag in one direction of a flow" or so.
I have seen this issue in the past as well. You mirrored 5Gbit/s of traffic and ended up confused why only a very small amount of events/alerts are seen. Once you dig into the traffic you spot that one direction of a flow as including the VLAN ID and the other direction was not including it. Only then you recognize it's the `vlan.use-for-tracking: true` option.
A workaround would be an external tool to use a script to do some sort of baseline and detect it (tshark or tcpdump).
Also available in: Atom
PDF