Does Suricata detect non-decapsulated VXLAN traffic?

zlvinas · April 26, 2021, 11:05am

We are mirroring traffic to Suricata (5.0.2) via VXLAN. Our rules include detect all non-TLS and detect all UDP. We are seeing alerts for UDP VXLAN traffic.

What is the Suricata behaviour?

Detection rules run only on decapsulated VXLAN traffic
Detection rules run on non-decapsulated VXLAN and decapsulated VXLAN traffic
Detection rules run only on non-decapsulated VXLAN traffic

Thanks
Zilvinas

Topic		Replies	Views
Unable to output logs (vxlan) Rules	2	403	August 29, 2021
Detecting https-tunneled ssh traffic Rules pfsense	3	1743	August 5, 2021
Bypassing encrypted traffic does not seem to work Help	8	1514	December 10, 2021
Reverse Shell detection Rules	20	3954	August 27, 2021
Encrypted traffic inspection Help suricata	4	5883	June 17, 2022

Does Suricata detect non-decapsulated VXLAN traffic?

Related Topics