[Oisf-users] Suricata / only public trafic

Amrith Z amrith at hotmail.fr
Thu Sep 1 09:42:38 UTC 2011


Hi,

I changed hardware. It seems to work now! No idea why... 
But I don't have the msg regarding the bpf filter during startup : 

[3049] 1/9/2011 -- 12:37:35 - (suricata.c:440) <Info> (main) -- This is Suricata version 1.1beta1
[3049] 1/9/2011 -- 12:37:35 - (util-cpu.c:171) <Info> (UtilCpuPrintSummary) -- CPUs/cores online: 2

So I'm using 1.1beta1. Should I change ?

Do you think it is possible to say in the bpf filter that I want the alerts only when the source OR the destination is a public IP ? I think this type of configuration can be very relevent for some case. 

Thx Victor !


> Date: Wed, 31 Aug 2011 11:01:49 +0200
> From: victor at inliniac.net
> To: amrith at hotmail.fr
> CC: oisf-users at openinfosecfoundation.org
> Subject: Re: [Oisf-users] Suricata / only public trafic
> 
> I just tested it and it works fine for me. During startup I have the
> following message:
> 
> [16395] 31/8/2011 -- 10:56:30 - (source-pcap.c:459) <Info>
> (ReceivePcapThreadInit) -- using bpf-filter "not net 192.168.0.0/16"
> 
> Can you confirm you have a similar message?
> 
> Also, what versions of Suricata and libpcap are you using?
> 
> Cheers,
> Victor
> 
> On 08/30/2011 01:44 PM, Amrith Z wrote:
> > 
> > Yes. This is the last line of fast.log : 
> > 
> > 08/30/2011-11:00:01.219120  [**] [1:366:7] GPL ICMP_INFO PING *NIX [**] [Classification: Misc activity] [Priority: 3] {ICMP} 172.18.5.10:8 -> 172.18.8.6:0
> > 
> > Thx Victor.
> > 
> >> Date: Tue, 30 Aug 2011 11:07:34 +0200
> >> From: victor at inliniac.net
> >> To: oisf-users at openinfosecfoundation.org
> >> Subject: Re: [Oisf-users] Suricata / only public trafic
> >>
> >> On 08/30/2011 11:03 AM, Amrith Z wrote:
> >>>
> >>> Thx for answering!
> >>>
> >>>
> >>>
> >>> I changed the bpf filter the way you said it, and I have still logs from my internal network.
> >>
> >> Can you post an alert from the fast.log?
> >>
> >> Regards,
> >> Victor
> >>
> >> -- 
> >> ---------------------------------------------
> >> Victor Julien
> >> http://www.inliniac.net/
> >> PGP: http://www.inliniac.net/victorjulien.asc
> >> ---------------------------------------------
> >>
> >> _______________________________________________
> >> Oisf-users mailing list
> >> Oisf-users at openinfosecfoundation.org
> >> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >  		 	   		  
> 
> 
> -- 
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
> 
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20110901/3a813062/attachment-0002.html>


More information about the Oisf-users mailing list