Hi,
I am looking into Suricata EVE logs and trying to understand whether it is possible to determine that a packet/flow originated from a GRE tunnel when there is no corresponding alert event.
In my case, alert events include fields such as pkt_src: "gre tunnel" and the tunnel object, so from the alert it is clear that the inner packet was carried inside GRE.
However, the related flow event only shows the inner 5-tuple and protocol, for example UDP source/destination IPs and ports, but it does not appear to contain pkt_src or tunnel metadata.
So my question is:
Is there any built-in way in Suricata to identify from a flow event alone that the traffic was decapsulated from GRE, if no alert was generated for that flow?
More specifically:
-
Can
pkt_srcor tunnel-related metadata be included inflowevents? -
Is there any EVE setting that exposes this information for flows?
-
Or is correlation with another event type the only option?
Thanks.