[Oisf-users] Suppress all signatures per source IP

[Cooper F. Nelson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm almost positive that bpf filters are only processed at run-time.
They are actually compiled and then run in kernel space prior to sending
the packets to the suricata process.

If you wanted to be able to do a live refresh you could just use pass
rules, one per host or network like this:

> pass ip 111.222.111.222 any -> any any (sid:1)

(not sure if you even need a sid!)

- -Coop

On 6/26/2014 12:36 PM, Yasha Zislin wrote:
> so if my filter file gets updated, would I have to restart suricata
> service or rule-reload would refresh it?
> 
> Thanks for detailed explanation.
> 
>> Date: Thu, 26 Jun 2014 12:30:26 -0700
>> From: cnelson at ucsd.edu
>> To: coolyasha at hotmail.com; oisf-users at lists.openinfosecfoundation.org
>> Subject: Re: [Oisf-users] Suppress all signatures per source IP
>>
> Again, the right way to do this is via bpf filters. That way the
> packets are efficiently filtered by the kernel.
> 
> Just start suricata with 'not host 111.222.111.222' on the command line.
> 
> If you are going to need a large list, use a filter file specified by
> the -F command line argument.
> 
> Bpf filter syntax is explained here:
> 
>> http://biot.com/capstats/bpf.html
> 
> -Coop
> 

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTrHffAAoJEKIFRYQsa8FW9m0H/2JAFxaIiYTVmJHQcaARIk1D
nIG2I5Pnv2nwQvkff9mdPSma4oSZYKiSaETwpX6FInO1AnCwLWfynzkpnvd2hEWT
1Ci4T3iM0yl1dcl7dW2PPnTpSSj3gUUlI09zMUYJkvXTqKYIFOnKygCsTuD9a2Qb
xPKzmaqrPCwj3pnmYnS9ZlP8SeQLxSgGIHSWwmpNDAtovVXpVlPgkKN0y3gQfDTT
zq5HPJ/P536FcmADg4l9kWdeLeZ4IxE7tuQ7tSCo7BphPlJNKZ7D0degVLuqBP0v
WpYablvZkbPs5CEIm5ENdXTJ4e9UDtQlZ+GlVy7++yu4uYDPOCfazqzFENIJQn0=
=Djua
-----END PGP SIGNATURE-----