Netflow "event.original" is different

Hi.

I enabled netflow logging in me eve.json file. What i noticed is that some of the logs do not include the vlan and app_proto information. For example:

{"timestamp":"2022-03-08T10:30:43.218310+0000","flow_id":1827732719774965,"in_iface":"x","event_type":"netflow","vlan":[x],"src_ip":"x","src_port":x,"dest_ip":"x","dest_port":80,"proto":"TCP","app_proto":"http","netflow":{"pkts":136,"bytes":9499,"start":"2022-03-08T10:27:13.765173+0000","end":"2022-03-08T10:27:14.182656+0000","age":1,"min_ttl":56,"max_ttl":57},"tcp":{"tcp_flags":"1b","syn":true,"fin":true,"psh":true,"ack":true}}

{"timestamp":"2022-03-08T10:28:16.474975+0000","flow_id":334119186678707,"in_iface":"x","event_type":"netflow","src_ip":"x","src_port":x,"dest_ip":"x","dest_port":80,"proto":"TCP","netflow":{"pkts":2,"bytes":120,"start":"2022-03-08T10:26:55.738227+0000","end":"2022-03-08T10:26:55.738232+0000","age":0,"min_ttl":106,"max_ttl":106},"tcp":{"tcp_flags":"02","syn":true}}

Despite being both http events (destination port is 80) only one of the entries indicates the app_proto and vlan information. Why is this happening?

Vlan information is included in the netflow record when the frame arrives with vlan tags.

The vlan decoder (src/decode-vlan.c) maintains statistics for vlan and for vlan-in-vlan.

Can you correlate those values with the logging that you’re observing?

Are you able to construct a small pcap that demonstrates the issue?

If you have the source code handy, you’ll see The vlan handling code inside CreateEveHeaderFromNetFlow

/* vlan */
if (f->vlan_idx > 0) {
    .
    .
    .
}

Thanks for your reply.

And what about the app_proto information?

What Suricata version are you using?

The suricata version is 6.0.4

What worries me the most is that without the app_proto information i cant identify the type of protocol of a given event

Do you have other examples? The one you listed shows the 3-way handshake at the beginning of the TCP setup has not yet completed. Thus, there’s no app proto