[Oisf-users] Does bpf filter not work in "Inline Mode" ?

Eric Leblond eric at regit.org
Wed Mar 13 14:07:32 UTC 2013 

Hi,

On Wed, 2013-03-13 at 13:57 +0000, Stefan Sabolowitsch wrote:
> Hi Victor, thanks for your fast answer.
> But how can i "exclude" such traffic /alarming / drop (IPS-Mode) , will threshold.conf here help ?

Just queue the packet you want with NFQUEUE. It could looks like:
iptables -I FORWARD -s 192.168.1.0/24  -p tcp --dport 6101 -j NFQUEUE
iptables -I FORWARD -s 192.168.1.0/24  -p tcp --sport 6101 -j NFQUEUE
...

BR,
> thx
> Stefan
> 
> Am 13.03.2013 um 14:50 schrieb Victor Julien <lists at inliniac.net>
> :
> 
> > On 03/13/2013 12:05 PM, Stefan Sabolowitsch wrote:
> >> Hi all, i have here sure 1.4.1 in nfq / inline mode.
> >> I use always this filter (exclude Backup stream server <-> client):
> >> 
> >> not ((src net 192.168.1.0/24 and (dst port 6101 or dst port 10000 or dst portrange 1025-1100)) or (src net 192.168.100.0/24 and (src port 6101 or src port 10000 or src portrange 1025-1100)))
> >> 
> >> But i found this in fast.log.
> >> 
> >> 03/13/2013-00:18:44.414738  [**] [1:648:7] GPL SHELLCODE x86 NOOP [**] [Classification: Executable Code was Detected] [Priority: 1] {TCP} 192.168.100.20:1025 -> 192.168.1.37:61817
> >> 
> >> start options:
> >> Executing: suricata --user sguil --group sguil -c /etc/nsm/Serrig-intern/suricata.yaml -F /etc/nsm/Serrig-intern/bpf.filt -q 1 -l /nsm/sensor_data/Serrig-intern
> >> 
> >> Without inline mode, this filter will work.
> > 
> > This is correct. It will not work in IPS mode. I have just created bug
> > 777 to make sure we generate an error/warning in the future.
> > 
> > -- 
> > ---------------------------------------------
> > Victor Julien
> > http://www.inliniac.net/
> > PGP: http://www.inliniac.net/victorjulien.asc
> > ---------------------------------------------
> > 
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > OISF: http://www.openinfosecfoundation.org/
> > 
> 
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/

-- 
Eric Leblond <eric at regit.org>
Blog: https://home.regit.org/

More information about the Oisf-users mailing list