Detect non-ip protocols (ie GOOSE)

vincentm · July 28, 2020, 3:26pm

Hi all,
I’m new to Suricata (and networking in general)
I would like to know how (if possible) to detect non-ip protocols, for instance GOOSE.

I have a pcap with GOOSE packets (among ip packets)
When I set a simple rule:
alert ip any any -> any any …

All ip packets are detected, non-ip packets (GOOSE in my case) are not.

What should I do?

Thanks in advance for your help
Vincent

Andreas_Herz · August 3, 2020, 7:27pm

Could you share the pcap or have an example pcap for that protocol? but for now you won’t gain much from it without support for that protocol.

vincentm · August 18, 2020, 8:16am

Hi Andreas,
thanks for your answer.
In the meantime I found a way to get my packets without the hassle of adding support for the protocol.

Here is a pcap with goose protocol packets:
goose.pcap (1.4 KB)

Regards,
Vincent

Andreas_Herz · August 20, 2020, 9:46pm

It might be worth to add a feature request in our redmine for that and attach the pcap.

Topic		Replies	Views
Suricata not detecting some packets in a pcap Help rules , suricata , pcaps	4	428	August 10, 2023
"pcap_cnt" is not accurate on TCP streams Help suricata	2	331	January 26, 2023
Alert triggered but nothing in the pcap Rules rules , suricata	2	321	September 19, 2022
Suricata not recognising packets, but tshark does Help	56	4668	June 18, 2020
How to find out which packets triggering the alert Help	2	884	December 13, 2021