Goodmorning everyone.
I’m working on a Encrypted Traffic Analysis “plugin”. It will be deployed in a data center with several VLANs.
Since the plugin works on a one-LAN scope I would need to extract VLAN Tags from flows to differentiate.
Best case would be doing it in Lua Output, but I’m open to any solution.
It looks like we’re not exposing the vlan id’s to Lua
Thanks for replying. Do you think there is some kind of workaround? Or any hope that would be implemented in the short-medium term?
Just for anyone who could by chance find this post having a similar issue. There seems to be no workaround inside Suricata at the moment. VLAN IDs are not accessible from Lua and there is no easy way to access them from anywhere, at least not in a easy-to-aggregate way (you can get them from alert logs, but you should log all and every flow as an alert).
For me this is quite a big issue. I will probably have to move to building a custom agent, because I can’t infer almost anything about subnets without being able to differentiate between VLANs.
If at any moment you are reading this and you think you have a solution, please feel free and do message me. Same goes if you think you have a similar problem, I could have find a solution in the meantime.