[Oisf-users] Does bpf filter not work in "Inline Mode" ?

Eric Leblond eric at regit.org
Wed Mar 13 14:47:40 UTC 2013 

Hi,

On Wed, 2013-03-13 at 14:22 +0000, Stefan Sabolowitsch wrote:
> Hi Eric, thanks for hints and tips. 
> 
> 
> actually i have this two queue:
> iptables -A FORWARD -i br0 -j NFQUEUE --queue-bypass --queue-num 1
> (Network 192.168.1.0/24)
> iptables -A FORWARD -i br2 -j NFQUEUE --queue-bypass --queue-num 2
> (Network 192.168.100.0/24) 

Just get via an iptables filter the packet you want to analyse in
suricata. For example, if your backup system is on port 6101 tcp you
could use:

iptables -A FORWARD -i br0 -j NFQUEUE -p udp --queue-bypass --queue-num 1 
iptables -A FORWARD -i br0 -j NFQUEUE -p tcp ! --dport 6101 --queue-bypass --queue-num 1 
...

BR,

> 
> I will not lose this traffic on port 6101, otherwise my backup
> software does not work (sure drop this traffic in IPS mode).
> Only suri should not watch the traffic, so that the backup is
> successful.
> 
> 
> How should I fix this with your example?
> thx
> Stefan
>  
> Am 13.03.2013 um 15:07 schrieb Eric Leblond <eric at regit.org>
> :
> 
> > Hi,
> > 
> > On Wed, 2013-03-13 at 13:57 +0000, Stefan Sabolowitsch wrote:
> > > Hi Victor, thanks for your fast answer.
> > > But how can i "exclude" such traffic /alarming / drop (IPS-Mode) ,
> > > will threshold.conf here help ?
> > 
> > Just queue the packet you want with NFQUEUE. It could looks like:
> > iptables -I FORWARD -s 192.168.1.0/24  -p tcp --dport 6101 -j
> > NFQUEUE
> > iptables -I FORWARD -s 192.168.1.0/24  -p tcp --sport 6101 -j
> > NFQUEUE
> > ...
> > 
> > BR,
> > > thx
> > > Stefan
> > > 
> > > Am 13.03.2013 um 14:50 schrieb Victor Julien <lists at inliniac.net>
> > > :
> > > 
> > > > On 03/13/2013 12:05 PM, Stefan Sabolowitsch wrote:
> > > > > Hi all, i have here sure 1.4.1 in nfq / inline mode.
> > > > > I use always this filter (exclude Backup stream server <->
> > > > > client):
> > > > > 
> > > > > not ((src net 192.168.1.0/24 and (dst port 6101 or dst port
> > > > > 10000 or dst portrange 1025-1100)) or (src net
> > > > > 192.168.100.0/24 and (src port 6101 or src port 10000 or src
> > > > > portrange 1025-1100)))
> > > > > 
> > > > > But i found this in fast.log.
> > > > > 
> > > > > 03/13/2013-00:18:44.414738  [**] [1:648:7] GPL SHELLCODE x86
> > > > > NOOP [**] [Classification: Executable Code was Detected]
> > > > > [Priority: 1] {TCP} 192.168.100.20:1025 -> 192.168.1.37:61817
> > > > > 
> > > > > start options:
> > > > > Executing: suricata --user sguil --group sguil
> > > > > -c /etc/nsm/Serrig-intern/suricata.yaml
> > > > > -F /etc/nsm/Serrig-intern/bpf.filt -q 1
> > > > > -l /nsm/sensor_data/Serrig-intern
> > > > > 
> > > > > Without inline mode, this filter will work.
> > > > 
> > > > This is correct. It will not work in IPS mode. I have just
> > > > created bug
> > > > 777 to make sure we generate an error/warning in the future.
> > > > 
> > > > -- 
> > > > ---------------------------------------------
> > > > Victor Julien
> > > > http://www.inliniac.net/
> > > > PGP: http://www.inliniac.net/victorjulien.asc
> > > > ---------------------------------------------
> > > > 
> > > > _______________________________________________
> > > > Suricata IDS Users mailing list:
> > > > oisf-users at openinfosecfoundation.org
> > > > Site: http://suricata-ids.org | Support:
> > > > http://suricata-ids.org/support/
> > > > List:
> > > > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > > > OISF: http://www.openinfosecfoundation.org/
> > > > 
> > > 
> > > 
> > > _______________________________________________
> > > Suricata IDS Users mailing list:
> > > oisf-users at openinfosecfoundation.org
> > > Site: http://suricata-ids.org | Support:
> > > http://suricata-ids.org/support/
> > > List:
> > > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > > OISF: http://www.openinfosecfoundation.org/
> > 
> 
> 
-- 
Eric Leblond <eric at regit.org>
Blog: https://home.regit.org/

More information about the Oisf-users mailing list