[Oisf-users] Does bpf filter not work in "Inline Mode" ?

Stefan Sabolowitsch Stefan.Sabolowitsch at felten-group.com
Wed Mar 13 14:22:13 UTC 2013


Hi Eric, thanks for hints and tips.

actually i have this two queue:
iptables -A FORWARD -i br0 -j NFQUEUE --queue-bypass --queue-num 1 (Network 192.168.1.0/24)
iptables -A FORWARD -i br2 -j NFQUEUE --queue-bypass --queue-num 2 (Network 192.168.100.0/24)

I will not lose this traffic on port 6101, otherwise my backup software does not work (sure drop this traffic in IPS mode).
Only suri should not watch the traffic, so that the backup is successful.

How should I fix this with your example?
thx
Stefan

Am 13.03.2013 um 15:07 schrieb Eric Leblond <eric at regit.org<mailto:eric at regit.org>>
:

Hi,

On Wed, 2013-03-13 at 13:57 +0000, Stefan Sabolowitsch wrote:
Hi Victor, thanks for your fast answer.
But how can i "exclude" such traffic /alarming / drop (IPS-Mode) , will threshold.conf here help ?

Just queue the packet you want with NFQUEUE. It could looks like:
iptables -I FORWARD -s 192.168.1.0/24  -p tcp --dport 6101 -j NFQUEUE
iptables -I FORWARD -s 192.168.1.0/24  -p tcp --sport 6101 -j NFQUEUE
...

BR,
thx
Stefan

Am 13.03.2013 um 14:50 schrieb Victor Julien <lists at inliniac.net<mailto:lists at inliniac.net>>
:

On 03/13/2013 12:05 PM, Stefan Sabolowitsch wrote:
Hi all, i have here sure 1.4.1 in nfq / inline mode.
I use always this filter (exclude Backup stream server <-> client):

not ((src net 192.168.1.0/24 and (dst port 6101 or dst port 10000 or dst portrange 1025-1100)) or (src net 192.168.100.0/24 and (src port 6101 or src port 10000 or src portrange 1025-1100)))

But i found this in fast.log.

03/13/2013-00:18:44.414738  [**] [1:648:7] GPL SHELLCODE x86 NOOP [**] [Classification: Executable Code was Detected] [Priority: 1] {TCP} 192.168.100.20:1025 -> 192.168.1.37:61817

start options:
Executing: suricata --user sguil --group sguil -c /etc/nsm/Serrig-intern/suricata.yaml -F /etc/nsm/Serrig-intern/bpf.filt -q 1 -l /nsm/sensor_data/Serrig-intern

Without inline mode, this filter will work.

This is correct. It will not work in IPS mode. I have just created bug
777 to make sure we generate an error/warning in the future.

--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
OISF: http://www.openinfosecfoundation.org/



_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoundation.org>
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
OISF: http://www.openinfosecfoundation.org/

--
Eric Leblond <eric at regit.org<mailto:eric at regit.org>>
Blog: https://home.regit.org/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130313/a6b379d5/attachment-0002.html>


More information about the Oisf-users mailing list