[Oisf-users] VLAN info and unified2 logs

Carlos TerrĂ³n cterron at alienvault.com
Wed Sep 10 10:16:15 UTC 2014


I have some problems retrieving log info about events fired by network packets encapsulate  in VLAN. I have monitoring traffic in a tagged vlan, and sometimes, the unified2 logs have info about the VLAN packets, sometimes no.

In my setup I have a a computer connected to a switch port with a tagged vlan. There are events that were stored in the unified2 with the VLAN info. For example,  if Suricata detects traffic that fire up this rule

ET POLICY Dropbox Client Broadcasting [**] [Classification: Potential Corporate Privacy Violation] [Priority: 
1] {UDP} 192.168.x.x:17500 ->

Using barnyard2 to obtain the pcap capture of the event, I see the next info:

08:32:10.545100 68:5b:35:xx:xx:xx > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 199: vlan 2, p 0, ethertype IPv4, > 255.255.2
55.255.17500: UDP, length 153

I see correctly the VLAN information in the packet.

But when Suricata fire up this rule  (downloading a exploit from www.explout-db.com)

09/09-08:32:13.920616  [**] [1:2011346:7] ET SHELLCODE Possible Unescape %u Shellcode/Heap Spray [**] [Classification: Executable Code was Detected] [Priority: 1] {TCP} -> 192.168.x.x:59703

And I analyze the pcap capture:

08:32:13.920616 00:00:00:00:00:00 > 00:00:00:00:00:00, ethertype IPv4 (0x0800), length 471: > 192.168.x.x.59703: Flags [], seq 0:417, 
win 0, length 417

There aren’t any info about

Source MAC
Destination MAC

I don’t now if this is a configuration issue I have with Suricata or that Suricata doesn’t store VLAN info in certain fired rules.

Thanks for the help

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140910/6122b50c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140910/6122b50c/attachment.pgp>

More information about the Oisf-users mailing list