[Oisf-users] Suricata / only public trafic

rmkml rmkml at yahoo.fr
Mon Aug 22 19:37:21 UTC 2011


Thx for reply Amrith,
ok what suricata version you use please?
could you send a suricata starting example please?

First, Im tested starting suricata v1.0.5 on pcap file with this cmd line (without bpf filter):
  ./suricata -c suricata.yaml -r abc.pcap
suricata fill fast.log with a.b.c.d IP,
ok second, Im start suricata again on same pcap file with bpf filter like this:
  ./suricata -c suricata.yaml -r abc.pcap 'not host a.b.c.d'
check fast.log and NOT contains a.b.c.d IP.
Could you test on your side please?

If Im understand correctly, ticket 277 is a feature request for adding new '-b' option contain bpf filter in a flat file.
Regards
Rmkml


On Mon, 22 Aug 2011, Amrith Z wrote:

> Hi,
> 
> I already tried this. But maybe I didn't do it the way I was supposed to. Where should I put the bpf expression ? I tried with the command line, and also with the -b option, with a bpf file, like said here :
> https://redmine.openinfosecfoundation.org/issues/277
> Both didn't work.
> 
> Thank.
> A.
> 
> > Date: Mon, 22 Aug 2011 18:15:11 +0200
> > From: rmkml at yahoo.fr
> > To: amrith at hotmail.fr
> > CC: oisf-users at openinfosecfoundation.org; rmkml at yahoo.fr
> > Subject: Re: [Oisf-users] Suricata / only public trafic
> >
> > Hi Amrith,
> > bpf_filter like:
> > http://lists.openinfosecfoundation.org/pipermail/oisf-users/2011-March/000522.html
> > Regards
> > Rmkml
> >
> >
> > On Mon, 22 Aug 2011, Amrith Z wrote:
> >
> > > Hi all,
> > >
> > > I'm a sys admin, and I’m looking for a way to configure Suricata to only alert when the source or the destination corresponds to a public IP, and not regarding trafic from my internal network.
> > > Is there a way to do that ?
> > >
> > > Thanks.
> > >
> > >
> 
>


More information about the Oisf-users mailing list