App layer not detecting flows

Hi all, I have encountered something strange and cannot pinpoint the issue. I hope you can help me in the right direction.

Suricata is running on a Debian VM on an ESXI host. The VM is connected to a SPAN port and receives data via VLAN 0 / untagged (response) and VLAN 1 (request) on 1 interface. When using Wireshark I see data on both VLANS. However, Suricata only logs data for VLAN 1.

For debugging purposes I created a pcap file via tshark for vlan 0. When I parse this pcap file with Suricata I am not getting any output (in eve.json). I noticed in the stats that the TCP flow count has a high number, however, the app layer flow counts stays 0 (for example for HTTP). While the PCAP file contains HTTP flows (verified in Wireshark).

Any ideas why Suricata does not detect (HTTP) flows? I also verified the suricate configuration by downloading a pcap example file from the Internet. Then I am getting output in the eve.json file.

image267×617 26.1 KB

What is the setting for using vlan for tracking in your suricata.yaml?

Can you test it with false as below ?

#VLAN tracking
vlan:
use-for-tracking: false

@IDSTower you are my hero! Changing the vlan tracking to false seems to solve the issue indeed. I spent hours figuring out why it did not work

Are there any limitations / side-effects because of this change (because normally this should be enabled)?

Glad it worked for you.

The only side-effect that comes to mind is that if you are monitoring multiple vlans with overlapping IP ranges in the same Suricata host, Suricata can in theory can mix flows up if they are using the same 5 tuples.