Is there any downside (resource-wise) to having the VXLAN decoder enabled when not monitoring VXLAN traffic, for example, as a default config? I ask because I would like to have it enabled by default, to monitor environments with both VXLAN and non-VXLAN traffic, and not have to go modify suricata.yaml.
It depends a bit on the config and the traffic. If you enable VXLAN you’ll have to tell it on what ports you expect it. It defaults to udp/4789. For any packet to this port Suricata will try to evaluate the packet payload as VXLAN. If for some reason you’d have other traffic using udp/4789 (or whatever your configured ports are), then that traffic will have to deal with the overhead of the VXLAN decoder trying to decode the payload.
For all other cases, the overhead should be essentially zero.
Thank you for the clarification, Victor! That definitely helps to put it into perspective.
Thanks!