VLAN-tagged traffic - filter for capturing from only specific vlan doesn't work

[ejgh-oe]

Version

2.4.201

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

4

RAM

128

Storage for /

500G

Storage for /nsm

15T

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hi,
Having weird issues wrt. filtering capture traffic out of an 802.1x trunk. Topology is a follows:
L1: Local LAN-Switch where both a firewall and my SO-sensor node connect to
L2: Firewall is connected to the switch via Trunk-interface thus carrying traffic for a bunch of VLANs. On the switch I've got a SPAN set up ("monitor" in Cisco lingo) that mirrors all traffic to/from the firewall to the port my sensor node is connected to.

The plan: Since I'm only interested in getting/analyzing Traffic in a particular VLAN on S.O. I set up BPF filters in SO identically for

• PCAP
• Suricata
• Zeek

as vlan 555.

Unfortunately that didn't work: I'm still getting Suricata and Zeek alerts from S.O. about traffic in other VLANs. Shouldn't the BPF for Suricata and Zeek respectively make sure that only Traffic tagged with VLAN 555 makes its way to Suricata/Zeek?

Only for PCAP the filter seems to work: so when starting from a Suricata Alert I opt for "PCAP" I only get packet data for alerts for VLAN 555 wheres for any suricata alerts from other VLANs there are not packets.

Any clue as wo what might be wrong here, i.e. why a BPF "vlan xxx" doesn't work for Suricata/Zeek?

PS: Please note that filtering out traffic on the SPAN-source-interface (i.e. where the firewall connects to is not an option since that source traffic is also mirrored to another interface aside from the one the S.O. sensor connects to).

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[cm-ops]

Just so I am clear, the BPF filter is simply vlan 555?

[ejgh-oe]

Yes, simply vlan 555 in all three cases, i.e.

• PCAP
• Suricata
• Zeek

[cm-ops]

https://docs.securityonion.net/en/2.4/bpf.html#vlan You have to have a filter on both sides of the vlan tag.

[ejgh-oe]

Thanks much for your help, i.e. the pointer to the BPF-setup/VLAN. I've changed the PCAP-Filter according to the docs and it works like a charm, checking only packets from the relevant VLAN.

PS: Sorry for getting back so late, but I've been swamped with work over the past weeks...