Project

General

Profile

Actions

Optimization #7849

open
FR JL

rule 2200121 : SURICATA Ethertype unknown

Optimization #7849: rule 2200121 : SURICATA Ethertype unknown

Added by François RAPIN 11 months ago. Updated 28 days ago.

Status:
In Review
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Hi,

My debian version : Debian GNU/Linux 13 (trixie)
Suricata version 8.0.0

About rule 2200121:
Today, this alert brings up this information:

{
  "timestamp": "2025-08-12T01:09:59.207354+0200",
  "in_iface": "enp4s0",
  "event_type": "alert",
  "pkt_src": "wire/pcap",
  "alert": {
    "action": "allowed",
    "gid": 1,
    "signature_id": 2200121,
    "rev": 1,
    "signature": "SURICATA Ethertype unknown",
    "category": "Generic Protocol Command Decode",
    "severity": 3
  }
}

Is it possible that in the future this alert will also indicate the affected protocol number?

In fact, yesterday I upgraded from Bookworm to Trixie and was able to compile Suricata version 8 (because rustc > 1.75.0).
In Suricata 7.0.11, this alert was never reported. But with version 8.0.0, yesterday over a period of 6h 31m 51s, I got:
38643 x 2200121 - SURICATA Ethertype unknown
Knowing the Ethertype would help clarify the problem:
- Is it a Suricata configuration issue? (The interface is 802.1q, enp4s0 = vlan1 and enp4s0.96 = vlan96, and I specified enp4s0 in the suricata configuration, IPS mode)
- Is it a Trixie issue, and if yes, which one?
- Is it a network attack?
- Other?
At the moment I don't have enough information to go further. Running a network analysis is always long and tedious to analyze.

For the fun, unless I didn't understand everything, for me:
capture.kernel_packets - decoder.ipv4 - decoder.arp - decoder.unknown_ethertype must be equal to zero.
316785 - 274652 - 3491 - 38643 = -1 Why?
Losing a packet isn't a big deal, but it can mask a bigger problem.

Thank you in advance for your feedback.

François.

---------------------------------------------------------------------------------------------------
Counter                                                      | TM Name                   | Value
---------------------------------------------------------------------------------------------------
capture.kernel_packets                                       | Total                     | 316785
capture.afpacket.polls                                       | Total                     | 532375
capture.afpacket.poll_timeout                                | Total                     | 416889
capture.afpacket.poll_data                                   | Total                     | 115486
decoder.pkts                                                 | Total                     | 316786
decoder.bytes                                                | Total                     | 172455686
decoder.ipv4                                                 | Total                     | 274652
decoder.ethernet                                             | Total                     | 316786
decoder.arp                                                  | Total                     | 3491
decoder.unknown_ethertype                                    | Total                     | 38643
decoder.tcp                                                  | Total                     | 145539
tcp.syn                                                      | Total                     | 212
tcp.synack                                                   | Total                     | 212
tcp.rst                                                      | Total                     | 19
decoder.udp                                                  | Total                     | 122448
decoder.icmpv4                                               | Total                     | 1354
decoder.vlan                                                 | Total                     | 222881
decoder.avg_pkt_size                                         | Total                     | 544
decoder.max_pkt_size                                         | Total                     | 1514
tcp.active_sessions                                          | Total                     | 1
flow.total                                                   | Total                     | 28709
flow.active                                                  | Total                     | 92
flow.tcp                                                     | Total                     | 227
flow.udp                                                     | Total                     | 28302
flow.icmpv4                                                  | Total                     | 180
flow.wrk.spare_sync_avg                                      | Total                     | 99
flow.wrk.spare_sync                                          | Total                     | 287
flow.wrk.spare_sync_incomplete                               | Total                     | 121
decoder.event.ipv4.opt_pad_required                          | Total                     | 3721
decoder.event.ethernet.unknown_ethertype                     | Total                     | 38643
flow.wrk.flows_evicted_needs_work                            | Total                     | 198
flow.wrk.flows_evicted_pkt_inject                            | Total                     | 336
flow.wrk.flows_evicted                                       | Total                     | 149
flow.wrk.flows_injected                                      | Total                     | 198
flow.wrk.flows_injected_max                                  | Total                     | 1
tcp.sessions                                                 | Total                     | 212
tcp.ssn_from_cache                                           | Total                     | 183
tcp.ssn_from_pool                                            | Total                     | 29
tcp.pseudo                                                   | Total                     | 6
tcp.segment_from_cache                                       | Total                     | 21390
tcp.segment_from_pool                                        | Total                     | 443
tcp.stream_depth_reached                                     | Total                     | 26
tcp.overlap                                                  | Total                     | 2
detect.alert                                                 | Total                     | 39163
detect.alerts_suppressed                                     | Total                     | 832
app_layer.flow.failed_tcp                                    | Total                     | 6
app_layer.flow.http                                          | Total                     | 3
app_layer.tx.http                                            | Total                     | 3
app_layer.flow.ftp                                           | Total                     | 31
app_layer.tx.ftp                                             | Total                     | 352
app_layer.flow.tls                                           | Total                     | 10
app_layer.flow.ssh                                           | Total                     | 6
app_layer.flow.ntp                                           | Total                     | 294
app_layer.tx.ntp                                             | Total                     | 756
app_layer.flow.ftp-data                                      | Total                     | 31
app_layer.flow.tftp                                          | Total                     | 13
app_layer.tx.tftp                                            | Total                     | 13
app_layer.flow.dhcp                                          | Total                     | 99
app_layer.tx.dhcp                                            | Total                     | 311
app_layer.flow.mdns                                          | Total                     | 20
app_layer.tx.mdns                                            | Total                     | 53032
app_layer.flow.failed_udp                                    | Total                     | 8165
app_layer.flow.dns_udp                                       | Total                     | 18947
app_layer.tx.dns_udp                                         | Total                     | 38841
app_layer.flow.sip_udp                                       | Total                     | 764
app_layer.tx.sip_udp                                         | Total                     | 72
app_layer.error.sip_udp.parser                               | Total                     | 6802
flow.end.state.new                                           | Total                     | 9159
flow.end.state.established                                   | Total                     | 19247
flow.end.state.closed                                        | Total                     | 211
flow.end.tcp_state.closed                                    | Total                     | 211
flow.mgr.full_hash_pass                                      | Total                     | 2337
flow.mgr.rows_per_sec                                        | Total                     | 6553
flow.spare                                                   | Total                     | 10925
flow.mgr.rows_maxlen                                         | Total                     | 2
flow.mgr.flows_checked                                       | Total                     | 68744
flow.mgr.flows_notimeout                                     | Total                     | 40255
flow.mgr.flows_timeout                                       | Total                     | 28489
flow.mgr.flows_evicted                                       | Total                     | 28490
flow.mgr.flows_evicted_needs_work                            | Total                     | 198
memcap.pressure                                              | Total                     | 5
memcap.pressure_max                                          | Total                     | 5
defrag.memuse                                                | Total                     | 33554432
flow.recycler.recycled                                       | Total                     | 28292
flow.recycler.queue_max                                      | Total                     | 24
tcp.memuse                                                   | Total                     | 1245184
tcp.reassembly_memuse                                        | Total                     | 276480
http.memuse                                                  | Total                     | 336
http.byterange.memuse                                        | Total                     | 168384
http.byterange.memcap                                        | Total                     | 104857600
ippair.memuse                                                | Total                     | 398144
ippair.memcap                                                | Total                     | 398144
host.memuse                                                  | Total                     | 382144
host.memcap                                                  | Total                     | 33554432
flow.memuse                                                  | Total                     | 7479904

Related issues 1 (1 open0 closed)

Related to Suricata - Bug #8142: Unknown ethertype event logs outer header ethertype instead of unrecognized ethertype in inner headerIn ReviewJeff LucovskyActions

FR Updated by François RAPIN 11 months ago Actions #1

Hi,
Sorry for that, I made a mistake in the second part of my message. I had mixed apples with oranges. The correct formula is:
decoder.pkts - decoder.ipv4 - decoder.arp - decoder.unknown_ethertype must be equal to zero.
316786 - 274652 - 3491 - 38643 = 0

But my initial request to display the protocol number remains valid.

Have a nice day.

François

PA Updated by Philippe Antoine 10 months ago Actions #2

Jlucovsky you made it possible, but suricata.yaml needs one option, right ?
Like @ethernet: yes # log ethernet header in events when available
in eve-log

FR Updated by François RAPIN 10 months ago Actions #3

Hi,
This is a good idea to check over a few days. I'll check the size of the log files with these additional 22 bytes, but I think the impact will be minimal.
Thanks again for this idea.

Regards.
François

FR Updated by François RAPIN 9 months ago · Edited Actions #4

Hi,
Sorry for that, but I have a doubt:
I modified my configuration file /etc/suricata/suricata.yaml with:
ethernet: yes
But I don't see any trace of the headers in the eve.json output.
Maybe I don't know how to search. In fact, I'm surprised that I can't find the "Ethertype" number or information like the source and destination MAC addresses. Did I do something wrong?
I'm on trixie and I just upgraded to suricata 8.0.1

Thanks in advance for your help.

One example:
cat /var/log/suricata/eve.json.1 | jq 'select(.ether == null)' | more

{
  "timestamp": "2025-10-02T00:00:26.778820+0200",
  "flow_id": 2003682908544790,
  "event_type": "flow",
  "src_ip": "192.168.96.81",
  "src_port": 53735,
  "dest_ip": "192.168.96.100",
  "dest_port": 3551,
  "ip_v": 4,
  "proto": "TCP",
  "flow": {
    "pkts_toserver": 7,
    "pkts_toclient": 6,
    "bytes_toserver": 300,
    "bytes_toclient": 996,
    "start": "2025-10-01T23:59:19.269910+0200",
    "end": "2025-10-01T23:59:19.595818+0200",
    "age": 0,
    "state": "closed",
    "reason": "timeout",
    "alerted": false,
    "wrong_thread": true
  },
  "tcp": {
    "tcp_flags": "1b",
    "tcp_flags_ts": "1b",
    "tcp_flags_tc": "1b",
    "syn": true,
    "fin": true,
    "psh": true,
    "ack": true,
    "state": "closed",
    "ts_max_regions": 1,
    "tc_max_regions": 1
  }
}
{
  "timestamp": "2025-10-02T00:00:27.711646+0200",
  "flow_id": 2029438225135704,
  "event_type": "flow",
  "src_ip": "192.168.96.81",
  "src_port": 55570,
  "dest_ip": "192.168.96.100",
  "dest_port": 53,
  "ip_v": 4,
  "proto": "UDP",
  "app_proto": "dns",
  "flow": {
    "pkts_toserver": 1,
    "pkts_toclient": 1,
    "bytes_toserver": 66,
    "bytes_toclient": 138,
    "start": "2025-10-01T23:55:19.013763+0200",
    "end": "2025-10-01T23:55:19.015021+0200",
    "age": 0,
    "state": "established",
    "reason": "timeout",
    "alerted": false,
    "tx_cnt": 2
  }
}
{
  "timestamp": "2025-10-02T00:00:31.646771+0200",
  "event_type": "stats",
  "stats": {
    "uptime": 84862,
    "ips": {
      "accepted": 537199,
      "blocked": 4256,
      "rejected": 0,
      "replaced": 0,
      "drop_reason": {
        "decode_error": 0,
        "defrag_error": 0,
        "defrag_memcap": 0,
        "flow_memcap": 0,
        "flow_drop": 2882,
        "applayer_error": 0,
        "applayer_memcap": 0,
        "rules": 1219,
        "threshold_detection_filter": 0,
        "stream_error": 155,
        "stream_memcap": 0,
        "stream_midstream": 0,
        "stream_reassembly": 0,
        "stream_urgent": 0,
        "nfq_error": 0,
        "tunnel_packet_drop": 0,
        "default_packet_policy": 0,
        "default_app_policy": 0,
        "pre_stream_hook": 0,
        "pre_flow_hook": 0
      }
    },
    "decoder": {
      "pkts": 541455,
      "bytes": 254584145,
      "invalid": 0,
      "ipv4": 541455,
      "ipv6": 0,
      "ethernet": 0,
      "arp": 0,
      "unknown_ethertype": 0,
      "chdlc": 0,
      "raw": 0,
      "null": 0,
      "sll": 0,
      "sll2": 0,
      "tcp": 239090,
      "udp": 295271,
      "sctp": 0,
      "esp": 0,
      "icmpv4": 7094,
      "icmpv6": 0,
      "ppp": 0,
      "pppoe": 0,
      "geneve": 0,
      "gre": 0,
      "vlan": 0,
      "vlan_qinq": 0,
      "vlan_qinqinq": 0,
      "vxlan": 0,
      "vntag": 0,
      "ieee8021ah": 0,
      "teredo": 0,
      "ipv4_in_ipv4": 0,

My configuration file:
grep -v '^\s*$\|^\s*\#' /etc/suricata/suricata.yaml

%YAML 1.1
---
suricata-version: "7.0" 
vars:
  address-groups:
    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" 
    EXTERNAL_NET: "!$HOME_NET" 
    HTTP_SERVERS: "$HOME_NET" 
    SMTP_SERVERS: "$HOME_NET" 
    SQL_SERVERS: "$HOME_NET" 
    DNS_SERVERS: "$HOME_NET" 
    TELNET_SERVERS: "$HOME_NET" 
    AIM_SERVERS: "$EXTERNAL_NET" 
    DC_SERVERS: "$HOME_NET" 
    DNP3_SERVER: "$HOME_NET" 
    DNP3_CLIENT: "$HOME_NET" 
    MODBUS_CLIENT: "$HOME_NET" 
    MODBUS_SERVER: "$HOME_NET" 
    ENIP_CLIENT: "$HOME_NET" 
    ENIP_SERVER: "$HOME_NET" 
  port-groups:
    HTTP_PORTS: "80" 
    SHELLCODE_PORTS: "!80" 
    ORACLE_PORTS: 1521
    SSH_PORTS: 22
    DNP3_PORTS: 20000
    MODBUS_PORTS: 502
    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" 
    FTP_PORTS: 21
    GENEVE_PORTS: 6081
    VXLAN_PORTS: 4789
    TEREDO_PORTS: 3544
default-log-dir: /var/log/suricata/
stats:
  enabled: yes
  interval: 8
plugins:
outputs:
  - fast:
      enabled: yes
      filename: fast.log
      append: yes
  - eve-log:
      enabled: yes
      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
      filename: eve.json
      ethernet: yes # log ethernet header in events when available
      pcap-file: false
      community-id: false
      community-id-seed: 0
      xff:
        enabled: no
        mode: extra-data
        deployment: reverse
        header: X-Forwarded-For
      types:
        - alert:
            tagged-packets: yes
        - frame:
            enabled: no
        - anomaly:
            enabled: yes
            types:
        - http:
            extended: yes     # enable this for extended logging information
        - dns:
        - tls:
            extended: yes     # enable this for extended logging information
        - files:
            force-magic: no   # force logging magic on all logged files
        - drop:
            alerts: yes
            flows: all
            verdict: yes
        - smtp:
        - ftp
        - rdp
        - nfs
        - smb
        - tftp
        - ike
        - dcerpc
        - krb5
        - bittorrent-dht
        - snmp
        - rfb
        - sip
        - quic:
        - dhcp:
            enabled: yes
            extended: no
        - ssh
        - mqtt:
        - http2
        - pgsql:
            enabled: no
        - stats:
            totals: yes       # stats for all threads merged together
            threads: no       # per thread stats
            deltas: no        # include delta values
        - flow
  - http-log:
      enabled: no
      filename: http.log
      append: yes
  - tls-log:
      enabled: no  # Log TLS connections.
      filename: tls.log # File to store TLS logs.
      append: yes
  - tls-store:
      enabled: no
  - pcap-log:
      enabled: no
      filename: log.pcap
      limit: 1000mb
      max-files: 2000
      compression: none
      mode: normal # normal, multi or sguil.
      use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
      honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stop being logged.
  - alert-debug:
      enabled: no
      filename: alert-debug.log
      append: yes
  - stats:
      enabled: yes
      filename: stats.log
      append: yes       # append to file (yes) or overwrite it (no)
      totals: yes       # stats for all threads merged together
      threads: no       # per thread stats
  - syslog:
      enabled: no
      facility: local5
  - file-store:
      version: 2
      enabled: no
      xff:
        enabled: no
        mode: extra-data
        deployment: reverse
        header: X-Forwarded-For
  - tcp-data:
      enabled: no
      type: file
      filename: tcp-data.log
  - http-body-data:
      enabled: no
      type: file
      filename: http-data.log
  - lua:
      enabled: no
      scripts:
logging:
  default-log-level: notice
  default-output-filter:
  outputs:
  - console:
      enabled: yes
  - file:
      enabled: yes
      level: info
      filename: suricata.log
  - syslog:
      enabled: no
      facility: local5
      format: "[%i] <%d> -- " 
af-packet:
  - interface: enp4s0
    threads: auto
    cluster-id: 99
    cluster-type: cluster_flow
    defrag: yes
    use-mmap: yes
    ring-size: 32000
  - interface: default
af-xdp:
  - interface: default
dpdk:
  eal-params:
    proc-type: primary
  interfaces:
    - interface: 0000:3b:00.0 # PCIe address of the NIC port
      threads: auto
      promisc: true # promiscuous mode - capture all packets
      multicast: true # enables also detection on multicast packets
      checksum-checks: true # if Suricata should validate checksums
      checksum-checks-offload: true # if possible offload checksum validation to the NIC (saves Suricata resources)
      mtu: 1500 # Set MTU of the device in bytes
      mempool-size: 65535 # The number of elements in the mbuf pool
      mempool-cache-size: 257
      rx-descriptors: 1024
      tx-descriptors: 1024
      copy-mode: none
      copy-iface: none # or PCIe address of the second interface
    - interface: default
      threads: auto
      promisc: true
      multicast: true
      checksum-checks: true
      checksum-checks-offload: true
      mtu: 1500
      rss-hash-functions: auto
      mempool-size: 65535
      mempool-cache-size: 257
      rx-descriptors: 1024
      tx-descriptors: 1024
      copy-mode: none
      copy-iface: none
pcap:
  - interface: enp4s0
  - interface: default
pcap-file:
  checksum-checks: auto
app-layer:
  protocols:
    telnet:
      enabled: yes
    rfb:
      enabled: yes
      detection-ports:
        dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909
    mqtt:
      enabled: yes
    krb5:
      enabled: yes
    bittorrent-dht:
      enabled: yes
    snmp:
      enabled: yes
    ike:
      enabled: yes
    tls:
      enabled: yes
      detection-ports:
        dp: 443
    pgsql:
      enabled: no
      stream-depth: 0
    dcerpc:
      enabled: yes
    ftp:
      enabled: yes
    rdp:
    ssh:
      enabled: yes
    http2:
      enabled: yes
    smtp:
      enabled: yes
      raw-extraction: no
      mime:
        decode-mime: yes
        decode-base64: yes
        decode-quoted-printable: yes
        header-value-depth: 2000
        extract-urls: yes
        body-md5: no
      inspected-tracker:
        content-limit: 100000
        content-inspect-min-size: 32768
        content-inspect-window: 4096
    imap:
      enabled: detection-only
    smb:
      enabled: yes
      detection-ports:
        dp: 139, 445
    nfs:
      enabled: yes
    tftp:
      enabled: yes
    dns:
      tcp:
        enabled: yes
        detection-ports:
          dp: 53
      udp:
        enabled: yes
        detection-ports:
          dp: 53
    http:
      enabled: yes
      libhtp:
         default-config:
           personality: IDS
           request-body-limit: 100kb
           response-body-limit: 100kb
           request-body-minimal-inspect-size: 32kb
           request-body-inspect-window: 4kb
           response-body-minimal-inspect-size: 40kb
           response-body-inspect-window: 16kb
           response-body-decompress-layer-limit: 2
           http-body-inline: auto
           swf-decompression:
             enabled: no
             type: both
             compress-depth: 100kb
             decompress-depth: 100kb
           double-decode-path: no
           double-decode-query: no
         server-config:
    modbus:
      enabled: no
      detection-ports:
        dp: 502
      stream-depth: 0
    dnp3:
      enabled: no
      detection-ports:
        dp: 20000
    enip:
      enabled: no
      detection-ports:
        dp: 44818
        sp: 44818
    ntp:
      enabled: yes
    quic:
      enabled: yes
    dhcp:
      enabled: yes
    sip:
asn1-max-frames: 256
datasets:
  defaults:
  limits:
  rules:
security:
  limit-noproc: true
  landlock:
    enabled: no
    directories:
      read:
        - /usr/
        - /etc/
        - /etc/suricata/
  lua:
coredump:
  max-dump: unlimited
host-mode: auto
runmode: workers
unix-command:
  enabled: yes
legacy:
  uricontent: enabled
exception-policy: auto
engine-analysis:
  rules-fast-pattern: yes
  rules: yes
pcre:
  match-limit: 3500
  match-limit-recursion: 1500
host-os-policy:
  windows: [0.0.0.0/0]
  bsd: []
  bsd-right: []
  old-linux: []
  linux: []
  old-solaris: []
  solaris: []
  hpux10: []
  hpux11: []
  irix: []
  macos: []
  vista: []
  windows2k3: []
defrag:
  memcap: 32mb
  hash-size: 65536
  trackers: 65535 # number of defragmented flows to follow
  max-frags: 65535 # number of fragments to keep (higher than trackers)
  prealloc: yes
  timeout: 60
flow:
  memcap: 128mb
  hash-size: 65536
  prealloc: 10000
  emergency-recovery: 30
vlan:
  use-for-tracking: true
livedev:
  use-for-tracking: true
flow-timeouts:
  default:
    new: 30
    established: 300
    closed: 0
    bypassed: 100
    emergency-new: 10
    emergency-established: 100
    emergency-closed: 0
    emergency-bypassed: 50
  tcp:
    new: 60
    established: 600
    closed: 60
    bypassed: 100
    emergency-new: 5
    emergency-established: 100
    emergency-closed: 10
    emergency-bypassed: 50
  udp:
    new: 30
    established: 300
    bypassed: 100
    emergency-new: 10
    emergency-established: 100
    emergency-bypassed: 50
  icmp:
    new: 30
    established: 300
    bypassed: 100
    emergency-new: 10
    emergency-established: 100
    emergency-bypassed: 50
stream:
  memcap: 64mb
  checksum-validation: yes      # reject incorrect csums
  inline: auto                  # auto will use inline mode in IPS mode, yes or no set it statically
  reassembly:
    memcap: 256mb
    depth: 1mb                  # reassemble 1mb into a stream
    toserver-chunk-size: 2560
    toclient-chunk-size: 2560
    randomize-chunk-size: yes
host:
  hash-size: 4096
  prealloc: 1000
  memcap: 32mb
decoder:
  teredo:
    enabled: true
    ports: $TEREDO_PORTS # syntax: '[3544, 1234]' or '3533' or 'any'.
  vxlan:
    enabled: true
    ports: $VXLAN_PORTS # syntax: '[8472, 4789]' or '4789'.
  geneve:
    enabled: true
    ports: $GENEVE_PORTS # syntax: '[6081, 1234]' or '6081'.
detect:
  profile: medium
  custom-values:
    toclient-groups: 3
    toserver-groups: 25
  sgh-mpm-context: auto
  prefilter:
    default: mpm
  grouping:
  profiling:
    grouping:
      dump-to-disk: false
      include-rules: false      # very verbose
      include-mpm-stats: false
mpm-algo: ac
spm-algo: bm
threading:
  set-cpu-affinity: no
  cpu-affinity:
    - management-cpu-set:
        cpu: [ 0 ]  # include only these CPUs in affinity settings
    - receive-cpu-set:
        cpu: [ 0 ]  # include only these CPUs in affinity settings
    - worker-cpu-set:
        cpu: [ "all" ]
        mode: "exclusive" 
        prio:
          low: [ 0 ]
          medium: [ "1-2" ]
          high: [ 3 ]
          default: "medium" 
  detect-thread-ratio: 1.0
luajit:
  states: 128
profiling:
  rules:
    enabled: yes
    filename: rule_perf.log
    append: yes
    limit: 10
    json: yes
  keywords:
    enabled: yes
    filename: keyword_perf.log
    append: yes
  prefilter:
    enabled: yes
    filename: prefilter_perf.log
    append: yes
  rulegroups:
    enabled: yes
    filename: rule_group_perf.log
    append: yes
  packets:
    enabled: yes
    filename: packet_stats.log
    append: yes
    csv:
      enabled: no
      filename: packet_stats.csv
  locks:
    enabled: no
    filename: lock_stats.log
    append: yes
  pcap-log:
    enabled: no
    filename: pcaplog_stats.log
    append: yes
nfq:
   mode: accept
   batchcount: 20
   fail-open: yes
nflog:
  - group: 2
    buffer-size: 18432
  - group: default
    qthreshold: 1
    qtimeout: 100
    max-size: 20000
capture:
netmap:
 - interface: eth2
 - interface: default
pfring:
  - interface: enp4s0
    threads: auto
    cluster-id: 99
    cluster-type: cluster_flow
  - interface: default
ipfw:
napatech:
    streams: ["0-3"]
    enable-stream-stats: no
    auto-config: yes
    hardware-bypass: yes
    inline: no
    ports: [0-1,2-3]
    hashmode: hash5tuplesorted
default-rule-path: /var/lib/suricata/rules
rule-files:
  - suricata.rules
classification-file: /etc/suricata/classification.config
reference-config-file: /etc/suricata/reference.config

JI Updated by Jason Ish 7 months ago Actions #5

  • Related to Bug #8142: Unknown ethertype event logs outer header ethertype instead of unrecognized ethertype in inner header added

JF Updated by Juliana Fajardini Reichow about 1 month ago Actions #6

  • Status changed from New to Triaged
  • Assignee changed from OISF Dev to Jeff Lucovsky
  • Target version changed from TBD to 9.0.0-beta1

JL Updated by Jeff Lucovsky about 1 month ago Actions #7

Is it possible that in the future this alert will also indicate the affected protocol number?

Are you asking for the unknown ethertype value to be displayed?

JL Updated by Jeff Lucovsky 29 days ago Actions #8

  • Status changed from Triaged to In Progress

JL Updated by Jeff Lucovsky 28 days ago Actions #9

  • Status changed from In Progress to In Review
Actions

Also available in: PDF Atom