[Oisf-users] SURICATA VLAN unknown type

Victor Julien lists at inliniac.net
Mon Mar 31 12:13:42 UTC 2014 

On 03/31/2014 02:11 PM, PENZ Robert wrote:
> Hi!
> 
>  
> 
> Using Suricata 2.0 rc2 (will update today to the final version) I get
> many following entries, but most packets are parsed correctly:
> 
>  
> 
> 03/31/2014-13:15:38.049215  [**] [1:2200067:1] SURICATA VLAN unknown
> type [**] [Classification: (null)] [Priority: 3] [**] [Raw pkt: FF FF FF
> FF FF FF 38 EA A7 91 D7 11 81 00 09 F8 08 06 00 01 08 00 06 04 00 01 38
> EA A7 91 D7 11 ]
> 
> 03/31/2014-13:15:38.049226  [**] [1:2200067:1] SURICATA VLAN unknown
> type [**] [Classification: (null)] [Priority: 3] [**] [Raw pkt: FF FF FF
> FF FF FF 38 EA A7 91 D7 11 81 00 05 48 08 06 00 01 08 00 06 04 00 01 38
> EA A7 91 D7 11 ]
> 
> 03/31/2014-13:15:38.733961  [**] [1:2200067:1] SURICATA VLAN unknown
> type [**] [Classification: (null)] [Priority: 3] [**] [Raw pkt: 00 04 96
> 51 97 A1 38 EA A7 91 D7 11 81 00 05 48 08 06 00 01 08 00 06 04 00 01 38
> EA A7 91 D7 11 ]
> 
> 03/31/2014-13:15:40.542186  [**] [1:2200067:1] SURICATA VLAN unknown
> type [**] [Classification: (null)] [Priority: 3] [**] [Raw pkt: FF FF FF
> FF FF FF 38 EA A7 31 30 A5 81 00 06 74 08 06 00 01 08 00 06 04 00 01 38
> EA A7 31 30 A5 ]
> 
> 03/31/2014-13:15:40.542252  [**] [1:2200067:1] SURICATA VLAN unknown
> type [**] [Classification: (null)] [Priority: 3] [**] [Raw pkt: FF FF FF
> FF FF FF 38 EA A7 31 30 A5 81 00 0C 50 08 06 00 01 08 00 06 04 00 01 38
> EA A7 31 30 A5 ]
> 
> 03/31/2014-13:15:44.444643  [**] [1:2200067:1] SURICATA VLAN unknown
> type [**] [Classification: (null)] [Priority: 3] [**] [Raw pkt: FF FF FF
> FF FF FF 38 EA A7 91 D7 11 81 00 0C 50 08 06 00 01 08 00 06 04 00 01 38
> EA A7 91 D7 11 ]
> 
> 03/31/2014-13:15:44.444654  [**] [1:2200067:1] SURICATA VLAN unknown
> type [**] [Classification: (null)] [Priority: 3] [**] [Raw pkt: FF FF FF
> FF FF FF 38 EA A7 91 D7 11 81 00 07 A0 08 06 00 01 08 00 06 04 00 01 38
> EA A7 91 D7 11 ]
> 
> 03/31/2014-13:15:44.444665  [**] [1:2200067:1] SURICATA VLAN unknown
> type [**] [Classification: (null)] [Priority: 3] [**] [Raw pkt: FF FF FF
> FF FF FF 38 EA A7 91 D7 11 81 00 08 CC 08 06 00 01 08 00 06 04 00 01 38
> EA A7 91 D7 11 ]
> 
> 03/31/2014-13:15:44.444676  [**] [1:2200067:1] SURICATA VLAN unknown
> type [**] [Classification: (null)] [Priority: 3] [**] [Raw pkt: FF FF FF
> FF FF FF 38 EA A7 91 D7 11 81 00 09 F8 08 06 00 01 08 00 06 04 00 01 38
> EA A7 91 D7 11 ]
> 
> 03/31/2014-13:15:44.444687  [**] [1:2200067:1] SURICATA VLAN unknown
> type [**] [Classification: (null)] [Priority: 3] [**] [Raw pkt: FF FF FF
> FF FF FF 38 EA A7 91 D7 11 81 00 05 48 08 06 00 01 08 00 06 04 00 01 38
> EA A7 91 D7 11 ]
> 
> 03/31/2014-13:15:44.444747  [**] [1:2200067:1] SURICATA VLAN unknown
> type [**] [Classification: (null)] [Priority: 3] [**] [Raw pkt: FF FF FF
> FF FF FF 38 EA A7 91 D7 11 81 00 06 74 08 06 00 01 08 00 06 04 00 01 38
> EA A7 91 D7 11 ]
> 
>  
> 
> But the packets look valid for me. e.g. the last one.
> 
>  
> 
> FF FF FF FF FF FF          Broadcast
> 
> 38 EA A7 91 D7 11          Source MAC
> 
> 81 00                      TPID = 0x8100
> 
> 06 74                      VLAN ID = 1652
> 
> 08 06                      EtherType/Size
> 
> 00 01 08 00 06 04 00 01 38 EA A7 91 D7 11  payload
> 
>  
> 
> What do I miss?

It's probably Suricata that is missing something: support for a specific
packet type :)

Are you able to (privately) share a small pcap (single packet would be
enough)?

As a work around, you can simply disable rule 2200067.

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list