8.51. VLAN Keywords
8.51.1. vlan.id
Suricata has a vlan.id
keyword that can be used in signatures to identify
and filter network packets based on Virtual Local Area Network IDs. By default,
it matches all layers if a packet contains multiple VLAN layers. However, if a
specific layer is defined, it will only match that layer.
Syntax:
vlan.id: [op]id[,layer];
The id can be matched exactly, or compared using the op
setting:
vlan.id:300 # exactly 300
vlan.id:<300,0 # smaller than 300 at layer 0
vlan.id:>=200,1 # greater or equal than 200 at layer 1
vlan.id uses unsigned 16-bit integer.
The valid range for VLAN id values is 0 - 4095
.
This keyword also supports all
and any
as arguments for layer
.
all
matches only if all VLAN layers match and any
matches with any layer.
Value |
Description |
---|---|
[default] |
Match with any layer |
0 - 2 |
Match specific layer |
|
Match specific layer with back to front indexing |
all |
Match only if all layers match |
any |
Match with any layer |
This small illustration shows how indexing works for vlan.id:
[ethernet]
[vlan 666 (index 0 and -2)]
[vlan 123 (index 1 and -1)]
[ipv4]
[udp]
8.51.1.1. Examples
Example of a signature that would alert if any of the VLAN IDs is equal to 300:
alert ip any any -> any any (msg:"Vlan ID is equal to 300"; vlan.id:300; sid:1;)
Example of a signature that would alert if the VLAN ID at layer 1 is equal to 300:
alert ip any any -> any any (msg:"Vlan ID is equal to 300 at layer 1"; vlan.id:300,1; sid:1;)
Example of a signature that would alert if the VLAN ID at the last layer is equal to 400:
alert ip any any -> any any (msg:"Vlan ID is equal to 400 at the last layer"; vlan.id:400,-1; sid:1;)
Example of a signature that would alert only if all the VLAN IDs are greater than 100:
alert ip any any -> any any (msg:"All Vlan IDs are greater than 100"; vlan.id:>100,all; sid:1;)
It is also possible to use the vlan.id content as a fast_pattern by using the prefilter
keyword, as shown in the following example.
alert ip any any -> any any (msg:"Vlan ID is equal to 200 at layer 1"; vlan.id:200,1; prefilter; sid:1;)
8.51.2. vlan.layers
Matches based on the number of layers.
Syntax:
vlan.layers: [op]number;
It can be matched exactly, or compared using the op
setting:
vlan.layers:3 # exactly 3 vlan layers
vlan.layers:<3 # less than 3 vlan layers
vlan.layers:>=2 # more or equal to 2 vlan layers
vlan.layers uses unsigned 8-bit integer.
The minimum and maximum values that vlan.layers can be are 0
and 3
.
8.51.2.1. Examples
Example of a signature that would alert if a packet has 0 VLAN layers:
alert ip any any -> any any (msg:"Packet has 0 vlan layers"; vlan.layers:0; sid:1;)
Example of a signature that would alert if a packet has more than 1 VLAN layers:
alert ip any any -> any any (msg:"Packet has more than 1 vlan layer"; vlan.layers:>1; sid:1;)
It is also possible to use the vlan.layers content as a fast_pattern by using the prefilter
keyword, as shown in the following example.
alert ip any any -> any any (msg:"Packet has 2 vlan layers"; vlan.layers:2; prefilter; sid:1;)