[Oisf-users] OT: Question about a bpf filter

[Cooper F. Nelson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I believe I've done this very thing for a deployment, I just used a BPF
filter of the proxy server and port.  For example 'host 1.1.1.1 and tcp
port 3128'.

Using the src/dst keywords won't work as you'll only see half of the
traffic in either case.

- -Coop

On 3/10/2015 5:24 AM, C. L. Martinez wrote:
> Hi all,
> 
>  Sorry to disturb with this question but I have a doubt. I need to
> filter traffic that comes to one host from our internal nets and
> monitor with suricata.
> 
>  In this host, traffic flows like in a web proxy does (in fact, it is
> a proxy server for a commercial product). My intention is to monitor
> only conections that arrives to this server, but not connections
> created by it.
> 
>  An example of bpf filter:
> 
>  (ip and not src host 1.1.1.1) or (vlan and not src host 1.1.1.1)
> 
> 
>  I am not sure if this is ok because, what about response connections
> from this server to the client, who has generate the original
> connection?
> 
> Thanks.
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
> 


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJU/yK8AAoJEKIFRYQsa8FWG0YH/jGGO6154aEn9bkkezyWjWIc
QQYApJWbPFj4qHqC/yHThq/0JCJF7MtuVFCS20b8oCwOYnW5kd9OKlgeZV7LOdQh
R+7n0bFOzf+l8/7tAZ57hEVv+HaHQRw2sp0DxHjc64vv7f5VC7V2nJ1gTXu1eKXi
U8BFAWKH1NHW+WNnOwo/2vP4ayrsVEqE2ZoSgBG+I5AaVVbDFGUC0lbBF6G6cX6r
8GwPDeVKDVpL9UbLeZ56xl7a6r+qM9stmAV4QGjvoAoPTWYMYxP5dcEEb2vHfdru
EQWCERxIiwZMLhwmbRLJmG/A/rOO6anfSY0r1WUvp5LxdYhQuMS56JUsJYIEEuY=
=t5wi
-----END PGP SIGNATURE-----