Is vlan id tagging available as an outflow?

LoriP · January 7, 2021, 1:22am

Hello,
Can someone please let me know how the following feature works in the yaml file?

#VLAN tracking
vlan:
use-for-tracking: true

Is the vlan id extracted from the packet header on the outflow when this option is configured? Is it possible to include vlan ids in the text for an alert? I do not wish to exclude any packets based upon a vlan id, but instead display the vlan id if one exists.

I would appreciate any insight on this topic.
Thank you

ish · January 7, 2021, 5:52pm

No extra configuration is required to log the VLAN ID if present, and the vlan.use-for-tracking setting does not affect the output. If an alert triggers on a packet that is VLAN tagged, you should see it in the eve.json. For example:

{
  "timestamp": "2019-02-24T17:42:09.070602+0000",
  "flow_id": 1342812254704586,
  "pcap_cnt": 1,
  "event_type": "alert",
  "vlan": [
    6
  ],
  "src_ip": "192.168.0.1",

Topic		Replies	Views
Netflow "event.original" is different Help community , suricata	6	556	March 9, 2022
How to use tagged-packets Help	1	344	November 27, 2021
The flow id got changed even though I keep send the same packet Help	2	554	April 27, 2022
How to retrieve full session on basis of alert Help	1	378	February 22, 2022
Tracking xbits in eve logs Help	2	376	December 28, 2021

Is vlan id tagging available as an outflow?

Related Topics