Project

General

Profile

Actions
Copy link

Feature #8428

open

Include GENEVE tunnel options in EVE JSON logs

Added by fahri . 4 days ago. Updated 4 days ago.

Status:
New
Priority:
Normal
Assignee:
-
Target version:
TBD
Effort:
Difficulty:
Label:

Description

Hey,

When Suricata decapsulates GENEVE tunnel traffic, the optional TLV metadata from the GENEVE header is not included in the EVE JSON output.

When multiple sources send traffic through GENEVE tunnels to a single Suricata instance, the inner packets can share the same private address space. Including the tunnel options in the EVE output would allow operators to attribute alerts to the correct tunnel source.

Would it be possible to parse GENEVE tunnel options (class, type, value) - or config support depending on users request?- during decapsulation and include them in EVE JSON output alongside existing tunnel metadata?

Thanks

Related issues 1 (1 open0 closed)

Related to Suricata - Feature #6468: flow-tracking: add geneve as a flow tracking parameterNewOISF DevActions
Actions
Copy link
 #1

Updated by Victor Julien 4 days ago

I think it would then also need to be used in flow tracking, as overlapping address ranges might disrupt flows.

Actions
Copy link
 #2

Updated by Victor Julien 4 days ago

  • Related to Feature #6468: flow-tracking: add geneve as a flow tracking parameter added
Actions
Copy link

Also available in: Atom PDF