[Oisf-users] Suricata / only public trafic
Amrith Z
amrith at hotmail.fr
Tue Aug 30 09:03:28 UTC 2011
Thx for answering!
I changed the bpf filter the way you said it, and I have still logs from my internal network.
I can't post a pcap file, I'm sry.
Any ideas ?
Thx
> Date: Mon, 29 Aug 2011 17:40:37 +0200
> From: rmkml at yahoo.fr
> To: amrith at hotmail.fr
> CC: rmkml at yahoo.fr
> Subject: RE: [Oisf-users] Suricata / only public trafic
>
> Hi Amrith
> only for testing: can you change your bpf to 'not net 172.0.0.0/8'
> maybe post a pcap file contains your internal network please?
> Regards
> Rmkml
>
>
> On Mon, 29 Aug 2011, Amrith Z wrote:
>
> > Hi,
> >
> > Thx for your answer.
> >
> > This is how I'm curently starting suricata :
> > /usr/local/bin/suricata --user suricata -D --pidfile=/var/run/suricata.pid -c /etc/suricata/suricata.yaml -i eth1 'not src net 172.0.0.0/8'
> >
> > Maybe my filter is not correct, because I still have entries where the source IP is my internal network.
> > Any idea ?
> >
> > Thx.
> >
> > > Date: Mon, 22 Aug 2011 21:37:21 +0200
> > > From: rmkml at yahoo.fr
> > > To: amrith at hotmail.fr
> > > CC: oisf-users at openinfosecfoundation.org; rmkml at yahoo.fr
> > > Subject: RE: [Oisf-users] Suricata / only public trafic
> > >
> > > Thx for reply Amrith,
> > > ok what suricata version you use please?
> > > could you send a suricata starting example please?
> > >
> > > First, Im tested starting suricata v1.0.5 on pcap file with this cmd line (without bpf filter):
> > > ./suricata -c suricata.yaml -r abc.pcap
> > > suricata fill fast.log with a.b.c.d IP,
> > > ok second, Im start suricata again on same pcap file with bpf filter like this:
> > > ./suricata -c suricata.yaml -r abc.pcap 'not host a.b.c.d'
> > > check fast.log and NOT contains a.b.c.d IP.
> > > Could you test on your side please?
> > >
> > > If Im understand correctly, ticket 277 is a feature request for adding new '-b' option contain bpf filter in a flat file.
> > > Regards
> > > Rmkml
> > >
> > >
> > > On Mon, 22 Aug 2011, Amrith Z wrote:
> > >
> > > > Hi,
> > > >
> > > > I already tried this. But maybe I didn't do it the way I was supposed to. Where should I put the bpf expression ? I tried with the command line, and also with the -b option, with a bpf file, like said here :
> > > > https://redmine.openinfosecfoundation.org/issues/277
> > > > Both didn't work.
> > > >
> > > > Thank.
> > > > A.
> > > >
> > > > > Date: Mon, 22 Aug 2011 18:15:11 +0200
> > > > > From: rmkml at yahoo.fr
> > > > > To: amrith at hotmail.fr
> > > > > CC: oisf-users at openinfosecfoundation.org; rmkml at yahoo.fr
> > > > > Subject: Re: [Oisf-users] Suricata / only public trafic
> > > > >
> > > > > Hi Amrith,
> > > > > bpf_filter like:
> > > > > http://lists.openinfosecfoundation.org/pipermail/oisf-users/2011-March/000522.html
> > > > > Regards
> > > > > Rmkml
> > > > >
> > > > >
> > > > > On Mon, 22 Aug 2011, Amrith Z wrote:
> > > > >
> > > > > > Hi all,
> > > > > >
> > > > > > I'm a sys admin, and I’m looking for a way to configure Suricata to only alert when the source or the destination corresponds to a public IP, and not regarding trafic from my internal network.
> > > > > > Is there a way to do that ?
> > > > > >
> > > > > > Thanks.
> > > > > >
> > > > > >
> > > >
> > > >
> >
> >
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20110830/6a07b224/attachment-0002.html>
More information about the Oisf-users
mailing list