How to get the VLAN ID in snort alert?

Question

I am trying to parse snort alerts and filter necessary information such as vlan id where a malicious internal machine belong to! However, I only can get the message, source and destination IPs, I need to get the VLAN ID too.

Thanks

Answer 1

(Assuming you're using Unified2 log format)

You can get the VLAN ID logged by using the vlan_event_types parameter when specifying the alert configuration:

output alert_unified2: \
    filename <base filename> [, <limit <size in MB>] [, nostamp] [, mpls_event_types] \
    [, vlan_event_types]

When enabled and the packet contains a VLAN header, a log item will contain the following record with vlan id:

E. Unified2 IDS Event (Version 2)

sensor id               4 bytes
event id                4 bytes
event second            4 bytes
event microsecond       4 bytes
signature id            4 bytes
generator id            4 bytes
signature revision      4 bytes
classification id       4 bytes
priority id             4 bytes
ip source               4 bytes
ip destination          4 bytes
source port/icmp type   2 bytes
dest. port/icmp code    2 bytes
protocol                1 byte
impact flag             1 byte
impact                  1 byte
blocked                 1 byte
mpls label              4 bytes
vlan id                 2 bytes
padding                 2 bytes

Unified2 IDS Event (Version 2) are logged for IPv4 packets which contain either MPLS or VLAN headers. Otherwise a Unified2 IDS Event is logged.

• Note that you’ll need to pass –enable-mpls to configure in order to have Snort fill in the mpls label field.

• Note that you’ll need to configure unified2 logging with either mpls_event_types or vlan_event_types to get this record type.

[https://www.snort.org/faq/readme-unified2]