[Oisf-users] Does bpf filter not work in "Inline Mode" ?
Stefan Sabolowitsch
Stefan.Sabolowitsch at felten-group.com
Wed Mar 13 11:05:09 UTC 2013
Hi all, i have here sure 1.4.1 in nfq / inline mode.
I use always this filter (exclude Backup stream server <-> client):
not ((src net 192.168.1.0/24 and (dst port 6101 or dst port 10000 or dst portrange 1025-1100)) or (src net 192.168.100.0/24 and (src port 6101 or src port 10000 or src portrange 1025-1100)))
But i found this in fast.log.
03/13/2013-00:18:44.414738 [**] [1:648:7] GPL SHELLCODE x86 NOOP [**] [Classification: Executable Code was Detected] [Priority: 1] {TCP} 192.168.100.20:1025 -> 192.168.1.37:61817
start options:
Executing: suricata --user sguil --group sguil -c /etc/nsm/Serrig-intern/suricata.yaml -F /etc/nsm/Serrig-intern/bpf.filt -q 1 -l /nsm/sensor_data/Serrig-intern
Without inline mode, this filter will work.
Any idea.
Thanks for any help
Stefan
More information about the Oisf-users
mailing list