Does Suricata detect non-decapsulated VXLAN traffic?

zlvinas · April 26, 2021, 11:05am

We are mirroring traffic to Suricata (5.0.2) via VXLAN. Our rules include detect all non-TLS and detect all UDP. We are seeing alerts for UDP VXLAN traffic.

What is the Suricata behaviour?

Detection rules run only on decapsulated VXLAN traffic
Detection rules run on non-decapsulated VXLAN and decapsulated VXLAN traffic
Detection rules run only on non-decapsulated VXLAN traffic

Thanks
Zilvinas

Topic		Replies	Views
Unable to output logs (vxlan) Rules	2	464	August 29, 2021
Suricata generating VXLAN + ICMP traffic Help	3	499	April 28, 2021
Real-time TLS Traffic Inspection Help	2	248	October 24, 2024
Asymmetric Traffic Help	4	414	August 29, 2022
Suricata not detecting some packets in a pcap Help rules , suricata , pcaps	4	748	August 10, 2023

Does Suricata detect non-decapsulated VXLAN traffic?

Related topics