Project

General

Profile

Actions

Feature #5956

open

Report traffic with missing VLAN tag

Added by Joerg Manasse over 1 year ago. Updated over 1 year ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Sometimes outgoing packets have a VLAN tag, but the corresponding incoming packets do not.
There is a corresponding config parameter so that Suricata can deal with this.
However, it would be helpful to recognise such traffic (actively) in order to be able to react.

Report traffic with missing VLAN tag in the out or incoming packets of the same data stream.
Solution: Message in the log file or when called up directly with a corresponding (new) parameter.

Actions #1

Updated by Victor Julien over 1 year ago

What would the logic be? Some ratio of non-vlan vs vlan leads to the warning? The stats logging should make it easy to do this already btw, something like a decoder.ethernet vs decoder.vlan check.

Actions #2

Updated by Andreas Herz over 1 year ago

Victor Julien wrote in #note-1:

What would the logic be? Some ratio of non-vlan vs vlan leads to the warning? The stats logging should make it easy to do this already btw, something like a decoder.ethernet vs decoder.vlan check.

Another idea would be a decoder-events.rule that could detect it, like "Missing VLAN tag in one direction of a flow" or so.

I have seen this issue in the past as well. You mirrored 5Gbit/s of traffic and ended up confused why only a very small amount of events/alerts are seen. Once you dig into the traffic you spot that one direction of a flow as including the VLAN ID and the other direction was not including it. Only then you recognize it's the `vlan.use-for-tracking: true` option.

A workaround would be an external tool to use a script to do some sort of baseline and detect it (tshark or tcpdump).

Actions

Also available in: Atom PDF