[Oisf-users] Why does not always work correctly the bpf filter.
Stefan Sabolowitsch
Stefan.Sabolowitsch at felten-group.com
Wed Feb 26 08:55:45 UTC 2014
Hi all,
have here latest git suri version with this start and filter options
start option (with nfq):
suricata --user sguil --group sguil -c /etc/nsm/Serrig-intern/suricata.yaml -q 0 -q 1 -q 2 -q 3 -l /nsm/sensor_data/Serrig-intern --runmode workers -F /etc/nsm/Serrig-intern/bpf.filt
filter option:
not ((src net 192.168.1.0/24 and (dst port 6101 or dst port 10000 or dst portrange 1025-1100)) or (src net 192.168.100.0/24 and (src port 6101
or src port 10000 or src portrange 1025-1100)) or host 192.168.1.43 or host 192.168.100.159)
Problem is our WSUS server with 192.168.1.43.
Although it is included in the bpf-filter suri get 80 - 100% CPU, but only after a few minutes (ca. 5min).
If i disable the WSUS server, everything is OK.
Any idea and help here ?
Stefan
More information about the Oisf-users
mailing list