[Oisf-users] Avoid inspecting intra lan traffic with BPF filter expression
Chris Boley
ilgtech75 at gmail.com
Thu Jun 30 15:31:21 UTC 2016
I have suricata IDPS setting between a Gig-E Dot1q trunk interface on a
Cisco switch and a Router running dot1q interfaces like a router on a
stick. I set it up in IPS bridge format. I have a bunch of small subnets.
I would like to do some tuning on my BPF filtering.
lets say for sake of discussion subnets of concern are:
When source is VLAN 1(10.200.104.0/25) destined for VLAN 2 (
10.200.104.192/28)
I need suricata to not scan that traffic and vice versa.
When source is VLAN 2 (10.200.104.192/28) destined for VLAN 1 (
10.200.104.0/25) I need suricata to not scan that traffic.
Then actually scan all other $HOME_NET traffic.
VLAN 1:
Client / User Subnet
VLAN 2:
Server subnet
I have several other VLANS in the trunk as well, but it's fine that
suricata scan's them.
Please bear in mind all traffic is VLAN tagged. I saw mentions on the pevma
blog page of specialized expressions for BPF filtering where VLANs were
concerned. I'm looking for some guidance.
I created a 'best guess' filter syntax and I'm sure it's very wrong.
I'm asking for someone to help me get going in the right direction on this:
Thanks in advance!!
My guess at the filter follows:
not((src net 10.200.104.0/25 and dst net 10.200.104.192/28) or ( src net
10.200.104.192/28 and dst net 10.200.104.0/25))
or
(not ((vlan and src net 10.200.104.0/25 and dst net 10.200.104.192/28)
or (vlan and src net 10.200.104.192/28 and dst net 10.200.104.0/25)))
Ideas?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160630/34dd8e58/attachment.html>
More information about the Oisf-users
mailing list