[Oisf-users] Suricata and BPF filters

Peter Manev petermanev at gmail.com
Tue May 29 13:43:01 UTC 2012 

Hi,

If you have the possibility to try
suricata -c /etc/suricata/suricata.yaml -i eth6 -F /etc/suricata/bpf

would you still have the issue?
(trying to narrow down the issue)
thanks

On Tue, May 29, 2012 at 3:35 PM, Peter Bates <peter.bates at ucl.ac.uk> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Hello all
>
> I'm trying the following with Suricata (cloned from git earlier today)
>
> suricata -c /etc/suricata/suricata.yaml --af-packet=eth6
> - --runmode=workers -F /etc/suricata/bpf
>
> The contents of the BPF is:
>
> net (144.82.114.0/23) or host (193.60.236.98 or 91.233.244.102 or
> 74.207.249.7 or 50.116.35.158 or 23.21.71.54 or 128.61.240.94 or
> 50.62.12.103 or 82.141.230.155 or 194.98.50.137)
>
> - - which I've used as the -F argument to Snort and which appears to
> work okay but with Suricata I'm definitely seeing hits that do not
> match the above.
>
> Is there something wrong with my BPF list or am I missing something?
>
> - --
> Peter Bates
> Senior Computer Security Officer    Phone: +44(0)2076792049
> Information Services Division       Internal Ext: 32049
> University College London
> London WC1E 6BT
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJPxNCYAAoJELhVoVpEMS6R6IAH/2a0f60TFS1cHl44S5x1C7np
> E8iEprrY5uazIyKWnj+vl0q62r6FhtOOmJCxbJorX9qyh4u6trHH3XTM3R+An4eg
> p6NYGTlDfa5T9JaF9G6/XJP30Kd7RmYsZR1S9b5P2WJCCDCnMeGOI6Xb3aJ3NEPE
> Y7Pw+7xf7VKm7q49FBd82RRR7RIz4U80j0OqQ500UTqWEvVVVON9xe1BCPZnhSqL
> Oh0aYMT2z2bwwNgESDrdSENqFP6NYpw/ci8DHfvIEYk1Z4eentYb0PpaFlDfXIrW
> HE1gI6NjFL7n8bMnPgcHKWrBUrBNYTiIW9AzUh6BSzDUKtY5RH7cUMz0n0c1xjA=
> =4Gj9
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>



-- 
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120529/47b6a2cf/attachment-0002.html>

More information about the Oisf-users mailing list