Suricata

The firewall mode should be able to distinguish between "Ethernet/IP/TCP" and "Ethernet/VLAN/GRE/Ethernet/IP/TCP". A packet should somehow expose this to the detection engine.

Perhaps a field that holds a list of protocol id's, starting at the datalink:
DLT_EN10MB:IPV4:TCP

Perhaps this would just be string buffer, where we can match using content.