Decoder Events Rule - SID 2200067

Alessiottero · January 29, 2025, 10:13pm

Hello guys!

I have a question regarding the built-in Suricata rule with SID 2200067 in the decoder-events.rules file.

Could someone please explain me the specific function of this rule? Specifically in which cases is it triggered?

Thanks in advance for anyone who can answer!!

vjulien · January 30, 2025, 12:47pm

VLAN has a next protocol field, that can is 16 bits, so it can potentially hold 64k unique values. When Suricata encounters a value there that it doesn’t support, it will set this event.

In the code:

Here is the vlan decoder

github.com/OISF/suricata

src/decode-vlan.c

master


      
          * \brief this function is used to decode IEEE802.1q packets
          *
          * \param tv pointer to the thread vars
          * \param dtv pointer code thread vars
          * \param p pointer to the packet struct
          * \param pkt pointer to the raw packet
          * \param len packet len
          * \param pq pointer to the packet queue
          *
          */
          int DecodeVLAN(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p,
                 const uint8_t *pkt, uint32_t len)
          {
             DEBUG_VALIDATE_BUG_ON(pkt == NULL);
          
             uint16_t proto;
          
             if (p->vlan_idx == 0)
                 StatsIncr(tv, dtv->counter_vlan);
             else if (p->vlan_idx == 1)
                 StatsIncr(tv, dtv->counter_vlan_qinq);

And here is the parser that parses the next layer

github.com/OISF/suricata

src/decode.h

master


      
                  default:
                      SCLogError("datalink type "
                                 "%" PRId32 " not yet supported",
                              datalink);
                      break;
              }
          }
          
          /** \brief decode network layer
           *  \retval bool true if successful, false if unknown */
          static inline bool DecodeNetworkLayer(ThreadVars *tv, DecodeThreadVars *dtv,
                  const uint16_t proto, Packet *p, const uint8_t *data, const uint32_t len)
          {
              switch (proto) {
                  case ETHERNET_TYPE_IP: {
                      uint16_t ip_len = (len < USHRT_MAX) ? (uint16_t)len : (uint16_t)USHRT_MAX;
                      DecodeIPV4(tv, dtv, p, data, ip_len);
                      break;
                  }
                  case ETHERNET_TYPE_IPV6: {
                      uint16_t ip_len = (len < USHRT_MAX) ? (uint16_t)len : (uint16_t)USHRT_MAX;

If the switch statement reaches the default case, it returns false and the vent will be set in the vlan decoder.

vjulien · January 30, 2025, 12:48pm

To clarify, the fact that Suricata doesn’t know the protocol, doesn’t mean it is bad or weird or malicious. It might simply be a protocol that Suricata doesn’t have support for. We’re always interested in pcaps for such protocols.

Topic		Replies	Views
Rule 2210008 - help interpreting results Rules	6	1152	September 24, 2020
Generic Protocol Command Decode Help	13	14481	March 13, 2021
Decode, stream, app-layer event rules Rules rules	5	1247	June 7, 2022
What is the purpose of Suricata rules which have sid 2200000-2299999? Rules rules , suricata	4	74	August 7, 2024
Deleted rules still being added Help	2	816	February 26, 2021

Decoder Events Rule - SID 2200067

Related topics