[Oisf-users] Suppress all signatures per source IP
Cooper F. Nelson
cnelson at ucsd.edu
Thu Jun 26 19:43:27 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I'm almost positive that bpf filters are only processed at run-time.
They are actually compiled and then run in kernel space prior to sending
the packets to the suricata process.
If you wanted to be able to do a live refresh you could just use pass
rules, one per host or network like this:
> pass ip 111.222.111.222 any -> any any (sid:1)
(not sure if you even need a sid!)
- -Coop
On 6/26/2014 12:36 PM, Yasha Zislin wrote:
> so if my filter file gets updated, would I have to restart suricata
> service or rule-reload would refresh it?
>
> Thanks for detailed explanation.
>
>> Date: Thu, 26 Jun 2014 12:30:26 -0700
>> From: cnelson at ucsd.edu
>> To: coolyasha at hotmail.com; oisf-users at lists.openinfosecfoundation.org
>> Subject: Re: [Oisf-users] Suppress all signatures per source IP
>>
> Again, the right way to do this is via bpf filters. That way the
> packets are efficiently filtered by the kernel.
>
> Just start suricata with 'not host 111.222.111.222' on the command line.
>
> If you are going to need a large list, use a filter file specified by
> the -F command line argument.
>
> Bpf filter syntax is explained here:
>
>> http://biot.com/capstats/bpf.html
>
> -Coop
>
- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJTrHffAAoJEKIFRYQsa8FW9m0H/2JAFxaIiYTVmJHQcaARIk1D
nIG2I5Pnv2nwQvkff9mdPSma4oSZYKiSaETwpX6FInO1AnCwLWfynzkpnvd2hEWT
1Ci4T3iM0yl1dcl7dW2PPnTpSSj3gUUlI09zMUYJkvXTqKYIFOnKygCsTuD9a2Qb
xPKzmaqrPCwj3pnmYnS9ZlP8SeQLxSgGIHSWwmpNDAtovVXpVlPgkKN0y3gQfDTT
zq5HPJ/P536FcmADg4l9kWdeLeZ4IxE7tuQ7tSCo7BphPlJNKZ7D0degVLuqBP0v
WpYablvZkbPs5CEIm5ENdXTJ4e9UDtQlZ+GlVy7++yu4uYDPOCfazqzFENIJQn0=
=Djua
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list