[Oisf-users] Suricata and BPF filters

Peter Bates peter.bates at ucl.ac.uk
Wed May 30 08:05:04 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all

On 30/05/2012 08:36, Peter Manev wrote:
> Out of curiosity If you try : suricata -c
> /etc/suricata/suricata.yaml -i eth6 -F /etc/suricata/bpf

I'm presuming not, based on previous discussions on the list - you can
also see 'bpf-filter' in suricata.yaml for PF_RING and PCAP.

I was explicitly trying to use AF_PACKET for performance and to try
the zero copy mode:
https://home.regit.org/2012/02/using-af_packet-zero-copy-mode-in-suricata/

The BPF was mostly to exclude a proportion of traffic but if I can
make the sensor cope with the traffic the BPF is not so useful - next
step obviously would be to try PF_RING.

- -- 
Peter Bates
Senior Computer Security Officer    Phone: +44(0)2076792049
Information Services Division	    Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPxdSwAAoJELhVoVpEMS6RGmQH/2xlvP8bUos3ozr26aNkdr/n
e+yq90vKMtoPVcPfyEfQKQeQWjrF4x/e43MxnMfbRqwazmTG+iEMMniQ4/PctDI2
3JMpmXPOadlDpjTDjpi6Frbc9S77cvrhDlZV8rzwvi4xdMF/gB0cUFMuygA3d6gg
g4evo8K5MVbbMGQVMzd2uKJpneDg4jj40wiIMATQ9ExZPRs4dItu/iOy6uV9mzKq
tWuytLI1+g5vAbbM2K1qQnMwb9PCcZUoHgApBVs4VqxR73LOM3Ltxa5CQypyO4fD
jOzv0pcb03W6SgWxsu2mxbRYCIBlZP5+qRNFvNYhQLmarp0BJ/CXJwZfj0v9yAQ=
=Ua9t
-----END PGP SIGNATURE-----




More information about the Oisf-users mailing list