Suricata generating VXLAN + ICMP traffic

Help
1

We have a setup where Suricata (5.0.2) is running only as IDS and is receiving mirrored traffic via VXLAN protocol. We noticed that there is an ICMP traffic wrapped in VXLAN generated by Suricata that is flowing back to the instance that VXLAN is mirrored from. Tested this by running process without Suricata and with Suricata.

VXLAN + ICMP traffic has properties:

Screenshot 2021-04-27 at 17.34.15
Screenshot 2021-04-27 at 17.34.151219×456 65.7 KB

My question is why we are seeing this traffic? Can Suricata be configured to disable sending traffic back to instance?

Edit 1
We are using AWS services. Topology:

Untitled
Untitled1211×541 32.4 KB

We only have alert rules.

Suricata is being configured:

./configure --enable-nfqueue \
            --enable-python \
            --enable-lua \
            --with-libnetfilter_queue-libraries=...
            --with-libnetfilter_queue-includes=...
            --with-libhs-includes=...
            --with-libhs-libraries=...
            --with-liblua-includes=...
            --with-liblua-libraries=...
            --with-libnet-libraries=...
            --with-libnet-includes=...
            --with-libnspr-libraries=...
            --with-libnspr-includes=...
            --with-libnss-libraries=...
            --with-libnss-includes=...
            --disable-gccmarch-native \
            "--prefix=..."
2

Hi,
Suricata doesn’t transmit packets in IDS mode. In IDS mode, Suricata normally receives traffic from a TAP or SPAN port. These are unidirectional.

Can you explain your deployment topology?

3

Added more details in Edit 1. Please let me know if you need more details. Thanks!

4

How do you run/start suricata and can you also post the config yaml file?