[Oisf-users] Why does not always work correctly the bpf filter.
Eric Leblond
eric at regit.org
Wed Feb 26 10:08:01 UTC 2014
Hello,
On Wed, 2014-02-26 at 08:55 +0000, Stefan Sabolowitsch wrote:
> Hi all,
> have here latest git suri version with this start and filter options
>
> start option (with nfq):
> suricata --user sguil --group sguil -c /etc/nsm/Serrig-intern/suricata.yaml -q 0 -q 1 -q 2 -q 3 -l /nsm/sensor_data/Serrig-intern --runmode workers -F /etc/nsm/Serrig-intern/bpf.filt
>
> filter option:
> not ((src net 192.168.1.0/24 and (dst port 6101 or dst port 10000 or dst portrange 1025-1100)) or (src net 192.168.100.0/24 and (src port 6101
> or src port 10000 or src portrange 1025-1100)) or host 192.168.1.43 or host 192.168.100.159)
>
> Problem is our WSUS server with 192.168.1.43.
> Although it is included in the bpf-filter suri get 80 - 100% CPU, but only after a few minutes (ca. 5min).
> If i disable the WSUS server, everything is OK.
BPF filter is not supported when running in NFQ mode. You should instead
tune your iptables rules to exclude the traffic you don't want.
By the way, you trigger a bug here. Using -F do not display failure
message link with BPF being used and IPS mode activated. I will try to
propose a patch soon.
++
--
Eric Leblond <eric at regit.org>
More information about the Oisf-users
mailing list