[Oisf-users] Best approach to monitor http traffic with suricata

C. L. Martinez carlopmart at gmail.com
Wed Dec 5 10:22:32 UTC 2012


Hi all,

 I have installed a new suricata sensor using release 1.4rc1 to
monitor a pool of http servers. I need to monitor only http traffic
with this sensor (over 35 http ports). In order to control the list of
these http ports I was planning to use a bpf filter, but I have doubts
with their syntax.

a) First filter:

"tcp port 80 or tcp port 81 or tcp port 1100 or tcp port 1333 ..." and so on

b) Second Filter:

"tcp dst port 80 or tcp dst port 81 or tcp dst port 1100 or tcp dst
port 1333 ..." and so on

c) Third filter (only packets that contains data)

"tcp port 80 or tcp port 81 or tcp port 100 ... and (((ip[2:2] -
((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)" and so on

or

"tcp dst port 80 or tcp dst port 81 or tcp dst port 100 ... and
(((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)" and so on

What do you think??

Thanks.


More information about the Oisf-users mailing list