[Oisf-users] Suricata / only public trafic
rmkml
rmkml at yahoo.fr
Mon Aug 22 19:37:21 UTC 2011
Thx for reply Amrith,
ok what suricata version you use please?
could you send a suricata starting example please?
First, Im tested starting suricata v1.0.5 on pcap file with this cmd line (without bpf filter):
./suricata -c suricata.yaml -r abc.pcap
suricata fill fast.log with a.b.c.d IP,
ok second, Im start suricata again on same pcap file with bpf filter like this:
./suricata -c suricata.yaml -r abc.pcap 'not host a.b.c.d'
check fast.log and NOT contains a.b.c.d IP.
Could you test on your side please?
If Im understand correctly, ticket 277 is a feature request for adding new '-b' option contain bpf filter in a flat file.
Regards
Rmkml
On Mon, 22 Aug 2011, Amrith Z wrote:
> Hi,
>
> I already tried this. But maybe I didn't do it the way I was supposed to. Where should I put the bpf expression ? I tried with the command line, and also with the -b option, with a bpf file, like said here :
> https://redmine.openinfosecfoundation.org/issues/277
> Both didn't work.
>
> Thank.
> A.
>
> > Date: Mon, 22 Aug 2011 18:15:11 +0200
> > From: rmkml at yahoo.fr
> > To: amrith at hotmail.fr
> > CC: oisf-users at openinfosecfoundation.org; rmkml at yahoo.fr
> > Subject: Re: [Oisf-users] Suricata / only public trafic
> >
> > Hi Amrith,
> > bpf_filter like:
> > http://lists.openinfosecfoundation.org/pipermail/oisf-users/2011-March/000522.html
> > Regards
> > Rmkml
> >
> >
> > On Mon, 22 Aug 2011, Amrith Z wrote:
> >
> > > Hi all,
> > >
> > > I'm a sys admin, and I’m looking for a way to configure Suricata to only alert when the source or the destination corresponds to a public IP, and not regarding trafic from my internal network.
> > > Is there a way to do that ?
> > >
> > > Thanks.
> > >
> > >
>
>
More information about the Oisf-users
mailing list