[Oisf-users] Suricata VLAN

[Christophe Vandeplas]

Hello Eric,

I think you misunderstood the situation. (or I am misunderstanding your answer)

We are mirroring one physical port of the switch.
That port is configured as an access port, in vlan X.   (so no VLAN trunk)

Our sniffing port seems to send out the traffic from the mirrored physical port,
but the inbound traffic contains a VLAN tag,
and the outbound traffic is in the native VLAN.

In other words , a TCP handshake is:
10.0.0.1  -> 2.2.2.2 SYN    native vlan
2.2.2.2 -> SYN/ACK   tagged vlan X
10.0.0.1 -> 2.2.2.2 ACK   native vlan.

It seems to be a "feature" of this switch. (how it handles traffic
internally in the switch)

So the thing is that I don't want to filter out the VLAN traffic,
but I'd like to know the impact on Suricata. Will it be able to
rebuild the TCP sessions, will it have impact on the IDS rules? ...

Thanks




On Wed, Feb 15, 2012 at 10:15 AM, Eric Leblond <eric at regit.org> wrote:
> Hello,
>
> Le mercredi 15 février 2012 à 10:11 +0100, Christophe Vandeplas a
> écrit :
>> Hello,
>>
>> I have a situation where a switch is acting 'originally' with traffic mirroring.
>>
>> The mirrored traffic in inbound direction is in the native vlan, and
>> the outbound is in a tagged vlan.
>>
>> I wonder how Suricata handles these flows.
>> Will it be able to reconstruct the TCP sessions correctly? Even if the
>> traffic is not in the same VLAN?
>>
>> What would be the impact if it doesn't reconstruct the traffic?
>> I'm certain that some things will still work, but I'm not certain
>> about the real impact.
>
> You may want to use a BPF expression to only select the packet from one
> of the VLAN. For example, "not vlan XX" should select only the incoming
> packets. This could avoid issue with seeing two times each packet.
>
> To provide a BPF, just add it at the end of suricata command line.
>
> BR,
> --
> Eric