I'm working on a project to implement SDN in a network. One of my flows is redirecting to the Suricata IDS and the flow works in layer 2 with MAC address.
Since I've read that Snort only works in layer 3, I would like to know if it's possible to write a rule on Suricata that filters on MAC address of source and destination?
Suricata implements a sub- and superset of the Snort language, but doesn't add support for matching on the layer 2.
Recently there has been some work on at least tracking and logging MAC addresses (see https://github.com/OISF/suricata/pull/4975), so L2 is getting a bit more love.
In general, I would suggest opening a feature ticket describing the use cases.
