<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Jan 10, 2020 at 12:58 PM Tiago Faria <<a href="mailto:tiago.faria.backups@gmail.com">tiago.faria.backups@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr">On Fri, Jan 10, 2020 at 10:20 AM Peter Manev <<a href="mailto:petermanev@gmail.com" target="_blank">petermanev@gmail.com</a>> wrote:<br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_quote"><div>When you start suri in verbose mode on the command line while specifying the file in suricata.yaml<br><span style="color:rgb(80,0,80)">-> bpf-filter: '/etc/suricata/</span><span style="color:rgb(80,0,80)">capture-filter.bpf'<br></span>Do you have any errors /output with regards to that?<br></div></div></div></blockquote><div><br></div><div>When referring to a file:</div><div><br></div>[12118] 10/1/2020 -- 11:41:29 - (source-af-packet.c:2274) <Error> (AFPSetBPFFilter) -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Failed to compile BPF "/etc/suricata/capture-filter.bpf": syntax error in filter expression: syntax error<br>[12118] 10/1/2020 -- 11:41:29 - (source-af-packet.c:1507) <Error> (ReceiveAFPLoop) -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error<br><div><br></div><div>If I replace that with a BPF expression, for example:</div><div><br></div><div>bpf-filter: "not host 1.1.1.1"</div><div><br></div><div>[12136] 10/1/2020 -- 11:44:27 - (source-af-packet.c:2261) <Info> (AFPSetBPFFilter) -- Using BPF 'not host 1.1.1.1' on iface 'enp0s3'</div><div><br></div><div>Calling the file with -F works as intended as well.</div><div><br></div><div>Is it safe to assume there isn't a way of calling the file via suricata.yaml?</div></div></div></blockquote><div><br>It would make sense to be able to pass file as well just a filter I think per interface if needed - so i am voting for opening a ticket on that :)<br> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_quote"><div> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_quote"><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, 10 Jan 2020 at 08:18, Peter Manev <<a href="mailto:petermanev@gmail.com" target="_blank">petermanev@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Jan 10, 2020 at 1:56 AM Tiago Faria <<a href="mailto:tiago.faria.backups@gmail.com" target="_blank">tiago.faria.backups@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi list,<div><br></div><div>I wanted to first check here before going into Redmine, but it appears that Suricata 5.0.1 is not processing/accepting "bpf-filter: <file>" under af-packet. </div><div><br></div><div>Section of suricata.yaml:</div><div><br></div><div>af-packet:<br>- cluster-id: 1<br> cluster-type: cluster_flow<br> interface: enp2s0<br> threads: auto<br> tpacket-v3: 'yes'<br> use-mmap: 'yes'<br></div><div> bpf-filter: '/etc/suricata/capture-filter.bpf'</div></div></blockquote><div><br></div><div>I think this spot is for the filter itself , for example <br>bpf-filter: not host 1.1.1.1 and not host 2.2.2.2<br>(for that specific interface enp2s0)<br><br>if you have a BPF file you can supply it on the start/command line like <br>suricata -F /path/to/bpf.file </div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><br></div><div>The content of capture-filter.bpf:</div><div><br></div><div>not host 1.1.1.1 and</div><div>not host 2.2.2.2</div><div><br></div><div>As far as I could tell from the documentation both the content of the file and the yaml configuration should be OK. </div><div><br></div><div>Any pointers? </div><div><br></div><div>Thank you.</div><div>T</div></div>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/training/</a></blockquote></div></div><div dir="ltr"><br clear="all"><div><br></div>-- <br><div dir="ltr"><div>Regards,</div>
<div>Peter Manev</div></div></div>
</blockquote></div></div>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr"><div>Regards,</div>
<div>Peter Manev</div></div></div>
</blockquote></div></div>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div>Regards,</div>
<div>Peter Manev</div></div></div>