<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Tahoma
}
--></style>
</head>
<body class='hmmessage'><div dir='ltr'>
Thx for answering!<br>
<br>
I changed the bpf filter the way you said it, and I have still logs from my internal network.<br>
I can't post a pcap file, I'm sry.<br>
<br>
Any ideas ?<br>
<br>
Thx<br><br><div>> Date: Mon, 29 Aug 2011 17:40:37 +0200<br>> From: rmkml@yahoo.fr<br>> To: amrith@hotmail.fr<br>> CC: rmkml@yahoo.fr<br>> Subject: RE: [Oisf-users] Suricata / only public trafic<br>> <br>> Hi Amrith<br>> only for testing: can you change your bpf to 'not net 172.0.0.0/8'<br>> maybe post a pcap file contains your internal network please?<br>> Regards<br>> Rmkml<br>> <br>> <br>> On Mon, 29 Aug 2011, Amrith Z wrote:<br>> <br>> > Hi,<br>> > <br>> > Thx for your answer.<br>> > <br>> > This is how I'm curently starting suricata :<br>> > /usr/local/bin/suricata --user suricata -D --pidfile=/var/run/suricata.pid -c /etc/suricata/suricata.yaml -i eth1 'not src net 172.0.0.0/8'<br>> > <br>> > Maybe my filter is not correct, because I still have entries where the source IP is my internal network.<br>> > Any idea ?<br>> > <br>> > Thx.<br>> > <br>> > > Date: Mon, 22 Aug 2011 21:37:21 +0200<br>> > > From: rmkml@yahoo.fr<br>> > > To: amrith@hotmail.fr<br>> > > CC: oisf-users@openinfosecfoundation.org; rmkml@yahoo.fr<br>> > > Subject: RE: [Oisf-users] Suricata / only public trafic<br>> > ><br>> > > Thx for reply Amrith,<br>> > > ok what suricata version you use please?<br>> > > could you send a suricata starting example please?<br>> > ><br>> > > First, Im tested starting suricata v1.0.5 on pcap file with this cmd line (without bpf filter):<br>> > > ./suricata -c suricata.yaml -r abc.pcap<br>> > > suricata fill fast.log with a.b.c.d IP,<br>> > > ok second, Im start suricata again on same pcap file with bpf filter like this:<br>> > > ./suricata -c suricata.yaml -r abc.pcap 'not host a.b.c.d'<br>> > > check fast.log and NOT contains a.b.c.d IP.<br>> > > Could you test on your side please?<br>> > ><br>> > > If Im understand correctly, ticket 277 is a feature request for adding new '-b' option contain bpf filter in a flat file.<br>> > > Regards<br>> > > Rmkml<br>> > ><br>> > ><br>> > > On Mon, 22 Aug 2011, Amrith Z wrote:<br>> > ><br>> > > > Hi,<br>> > > ><br>> > > > I already tried this. But maybe I didn't do it the way I was supposed to. Where should I put the bpf expression ? I tried with the command line, and also with the -b option, with a bpf file, like said here :<br>> > > > https://redmine.openinfosecfoundation.org/issues/277<br>> > > > Both didn't work.<br>> > > ><br>> > > > Thank.<br>> > > > A.<br>> > > ><br>> > > > > Date: Mon, 22 Aug 2011 18:15:11 +0200<br>> > > > > From: rmkml@yahoo.fr<br>> > > > > To: amrith@hotmail.fr<br>> > > > > CC: oisf-users@openinfosecfoundation.org; rmkml@yahoo.fr<br>> > > > > Subject: Re: [Oisf-users] Suricata / only public trafic<br>> > > > ><br>> > > > > Hi Amrith,<br>> > > > > bpf_filter like:<br>> > > > > http://lists.openinfosecfoundation.org/pipermail/oisf-users/2011-March/000522.html<br>> > > > > Regards<br>> > > > > Rmkml<br>> > > > ><br>> > > > ><br>> > > > > On Mon, 22 Aug 2011, Amrith Z wrote:<br>> > > > ><br>> > > > > > Hi all,<br>> > > > > ><br>> > > > > > I'm a sys admin, and I¢m looking for a way to configure Suricata to only alert when the source or the destination corresponds to a public IP, and not regarding trafic from my internal network.<br>> > > > > > Is there a way to do that ?<br>> > > > > ><br>> > > > > > Thanks.<br>> > > > > ><br>> > > > > ><br>> > > ><br>> > > ><br>> > <br>> ><br></div> </div></body>
</html>