[Oisf-users] Can I use BPF filter file with suricata?

Victor Julien victor at inliniac.net
Fri Mar 18 10:52:07 EST 2011


On 03/18/2011 04:44 PM, carlopmart wrote:
> On 03/18/2011 04:42 PM, Victor Julien wrote:
>> On 03/18/2011 04:39 PM, carlopmart wrote:
>>> On 03/18/2011 04:36 PM, Victor Julien wrote:
>>>> On 03/18/2011 04:27 PM, carlopmart wrote:
>>>>> On 03/18/2011 04:05 PM, Victor Julien wrote:
>>>>>> On 03/18/2011 01:38 PM, carlopmart wrote:
>>>>>>> Hi all
>>>>>>>
>>>>>>>      Is it possible to use a bpf filter file with suricata? If not, how can
>>>>>>> I filter out false positives and known activities??
>>>>>>>
>>>>>>> Thanks.
>>>>>>
>>>>>> Yep, suricata -c suricata.yaml -r some.pcap tcp port 80
>>>>>>
>>>>>> The "tcp port 80" part is the bpf filter.
>>>>>>
>>>>>> Cheers,
>>>>>> Victor
>>>>>>
>>>>>
>>>>> Thanks Julien .. But it is posible to pass bpf options in a file or only
>>>>> on command line??
>>>>>
>>>>>
>>>>
>>>> Oh sorry, missed that part of your question. Afaik currently we only
>>>> support the command line. What can we do to improve?
>>>>
>>>
>>> IMHO is best to use a file instead of via command line ...
>>>
>>
>> How would this work? A text file with a single expression?
>>
> 
> Like for example as snort does. An example:
> 
> not (dst host 239.192.57.11 and dst port 5405) and
> not (dst host 172.17.47.27 and dst port 5405) and
> not (dst host 172.17.47.28 and dst port 5405)
> 

Cool, can you open a feature request for this on our redmine site?
https://redmine.openinfosecfoundation.org/projects/suricata

Thanks!
Victor


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------



More information about the Oisf-users mailing list