[Oisf-users] Can I use BPF filter file with suricata?
carlopmart
carlopmart at gmail.com
Fri Mar 18 15:44:08 UTC 2011
On 03/18/2011 04:42 PM, Victor Julien wrote:
> On 03/18/2011 04:39 PM, carlopmart wrote:
>> On 03/18/2011 04:36 PM, Victor Julien wrote:
>>> On 03/18/2011 04:27 PM, carlopmart wrote:
>>>> On 03/18/2011 04:05 PM, Victor Julien wrote:
>>>>> On 03/18/2011 01:38 PM, carlopmart wrote:
>>>>>> Hi all
>>>>>>
>>>>>> Is it possible to use a bpf filter file with suricata? If not, how can
>>>>>> I filter out false positives and known activities??
>>>>>>
>>>>>> Thanks.
>>>>>
>>>>> Yep, suricata -c suricata.yaml -r some.pcap tcp port 80
>>>>>
>>>>> The "tcp port 80" part is the bpf filter.
>>>>>
>>>>> Cheers,
>>>>> Victor
>>>>>
>>>>
>>>> Thanks Julien .. But it is posible to pass bpf options in a file or only
>>>> on command line??
>>>>
>>>>
>>>
>>> Oh sorry, missed that part of your question. Afaik currently we only
>>> support the command line. What can we do to improve?
>>>
>>
>> IMHO is best to use a file instead of via command line ...
>>
>
> How would this work? A text file with a single expression?
>
Like for example as snort does. An example:
not (dst host 239.192.57.11 and dst port 5405) and
not (dst host 172.17.47.27 and dst port 5405) and
not (dst host 172.17.47.28 and dst port 5405)
--
CL Martinez
carlopmart {at} gmail {d0t} com
More information about the Oisf-users
mailing list