I have a packet capture where the ip_proto is 17, UDP. The contents of the packet are correctly identified as ESP in wireshark. When writing my suricata rules, it seems like I can’t leverage the ESP parsing. Is there a way to force the packet through the ESP parser? I would like to take advantage of the SPI and other features already built in.
Could you share a pcap ?
A quick look at the code shows that we use IPPROTO_ESP to decode as ESP…