[Oisf-users] Suricata bpf limitations? not statement

[Jeremy MJ]

Hi,

Are there any limitations to the bpf filter, whether it be in the file
or yaml config? I have one using a not statement and it seems to bork
suricata (service runs but won't scan any traffic). I QCed it with
WireShark and tcpdump, and it works just fine. Also, checked that I'm
not blocking a gateway or proxy server. Using things like tcp and port
80 work fine in suricata, seems specific to the not statement.

I can send an obfuscated filter if interested. Basically, it's a group
of internal hosts (by ip accross the board):
not (host x OR host y....) and not net z/16. I tried playing with src
and dest for this too, but suricata won't see or analyze any traffic
when either bpf filter is used.

Running suricata 3 on pfring, monitor only. I thought this my be
related to erspan, but this instance is working with traffic from
rspan.

--
Jeremy MJ