[Oisf-users] Suricata VLAN

Chris Wakelin c.d.wakelin at reading.ac.uk
Wed Feb 15 09:46:29 UTC 2012

This is a similar situation to our Extreme border switches (which we're
not monitoring at the moment; we're monitoring the core to firewall

It didn't seem to cause any problems in Suricata. We're using PF_RING
with cluster-per-flow and Will Metcalf pointed out that it uses the VLAN
id as part of its header hashing and suggested we modify the hash to
leave the VLAN id out.

You do need to make sure that Suricata's default-packet-size is
appropriate to take into account the VLAN headers; we set it manually to

Best Wishes,

On 15/02/2012 09:28, Christophe Vandeplas wrote:
> Hello Eric,
> I think you misunderstood the situation. (or I am misunderstanding your answer)
> We are mirroring one physical port of the switch.
> That port is configured as an access port, in vlan X.   (so no VLAN trunk)
> Our sniffing port seems to send out the traffic from the mirrored physical port,
> but the inbound traffic contains a VLAN tag,
> and the outbound traffic is in the native VLAN.
> In other words , a TCP handshake is:
>  -> SYN    native vlan
> -> SYN/ACK   tagged vlan X
> -> ACK   native vlan.
> It seems to be a "feature" of this switch. (how it handles traffic
> internally in the switch)
> So the thing is that I don't want to filter out the VLAN traffic,
> but I'd like to know the impact on Suricata. Will it be able to
> rebuild the TCP sessions, will it have impact on the IDS rules? ...
> Thanks
> On Wed, Feb 15, 2012 at 10:15 AM, Eric Leblond <eric at regit.org> wrote:
>> Hello,
>> Le mercredi 15 février 2012 à 10:11 +0100, Christophe Vandeplas a
>> écrit :
>>> Hello,
>>> I have a situation where a switch is acting 'originally' with traffic mirroring.
>>> The mirrored traffic in inbound direction is in the native vlan, and
>>> the outbound is in a tagged vlan.
>>> I wonder how Suricata handles these flows.
>>> Will it be able to reconstruct the TCP sessions correctly? Even if the
>>> traffic is not in the same VLAN?
>>> What would be the impact if it doesn't reconstruct the traffic?
>>> I'm certain that some things will still work, but I'm not certain
>>> about the real impact.
>> You may want to use a BPF expression to only select the packet from one
>> of the VLAN. For example, "not vlan XX" should select only the incoming
>> packets. This could avoid issue with seeing two times each packet.
>> To provide a BPF, just add it at the end of suricata command line.
>> BR,
>> --
>> Eric
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 2AF, UK              Fax: +44 (0)118 975 3094

More information about the Oisf-users mailing list