[Oisf-users] Suricata and BPF filters

Peter Manev petermanev at gmail.com
Wed May 30 07:36:41 UTC 2012


On Tue, May 29, 2012 at 3:42 PM, Victor Julien <victor at inliniac.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 05/29/2012 03:35 PM, Peter Bates wrote:
> >
> > Hello all
> >
> > I'm trying the following with Suricata (cloned from git earlier
> > today)
> >
> > suricata -c /etc/suricata/suricata.yaml --af-packet=eth6
> > --runmode=workers -F /etc/suricata/bpf
> >
> > The contents of the BPF is:
> >
> > net (144.82.114.0/23) or host (193.60.236.98 or 91.233.244.102 or
> > 74.207.249.7 or 50.116.35.158 or 23.21.71.54 or 128.61.240.94 or
> > 50.62.12.103 or 82.141.230.155 or 194.98.50.137)
> >
> > - which I've used as the -F argument to Snort and which appears to
> > work okay but with Suricata I'm definitely seeing hits that do not
> > match the above.
> >
> > Is there something wrong with my BPF list or am I missing
> > something?
>
> BPF is not yet supported for af_packet:
> https://redmine.openinfosecfoundation.org/issues/440
>
> - --
> - ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> - ---------------------------------------------
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk/E0lMACgkQiSMBBAuniMektQCfUJXqB4mu/MEE3VLHmzpsqk1A
> QZgAn2QHpW8EnnjfbRyYkuTA2CU3U7KQ
> =elbh
> -----END PGP SIGNATURE-----
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>

Out of curiosity If you try :
suricata -c /etc/suricata/suricata.yaml -i eth6 -F /etc/suricata/bpf

would you still have the issue ?

-- 
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120530/98e5e0c4/attachment-0002.html>


More information about the Oisf-users mailing list