[Oisf-devel] RFC: vlan_id in flow tracking
Victor Julien
victor at inliniac.net
Thu Apr 4 11:12:17 UTC 2013
On 04/04/2013 01:10 PM, Victor Julien wrote:
> (RFC: request for comments :))
>
> Suricata currently parses VLAN headers but doesn't really do anything
> with them. This is obviously wrong in some cases, like in flow tracking.
> There can be several vlan's on a network, where in each we see the same
> 5-tuple. These shouldn't be mixed, but right now they can be.
>
> This patch tries to deal with it:
> https://github.com/inliniac/suricata/commit/d755fdfdc4576057712ccdb70f1e3a17bfad901c
>
> There are a few open issues:
>
> - what to do in case of multiple layers of VLAN? We should probably be
> taking the tunnel approach, where we create a fake packet
>
> - there are reports of broken switches (Chris) that only append vlan
> tags to one direction of the flows. To handle this correctly the vlan id
> tracking would have to be optional
>
> Comments?
>
We'd need to do the same for IP defragmentation btw.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list