[Oisf-users] Avoid inspecting intra lan traffic with BPF filter expression
Peter Manev
petermanev at gmail.com
Thu Jun 30 16:11:07 UTC 2016
On Thu, 2016-06-30 at 11:31 -0400, Chris Boley wrote:
> I have suricata IDPS setting between a Gig-E Dot1q trunk interface on
> a Cisco switch and a Router running dot1q interfaces like a router on
> a stick. I set it up in IPS bridge format. I have a bunch of small
> subnets.
>
> I would like to do some tuning on my BPF filtering.
>
> lets say for sake of discussion subnets of concern are:
>
> When source is VLAN 1(10.200.104.0/25) destined for VLAN 2
> (10.200.104.192/28)
>
> I need suricata to not scan that traffic and vice versa.
>
> When source is VLAN 2 (10.200.104.192/28) destined for VLAN 1
> (10.200.104.0/25) I need suricata to not scan that traffic.
>
> Then actually scan all other $HOME_NET traffic.
>
> VLAN 1:
> Client / User Subnet
>
>
> VLAN 2:
> Server subnet
>
> I have several other VLANS in the trunk as well, but it's fine that
> suricata scan's them.
>
> Please bear in mind all traffic is VLAN tagged. I saw mentions on the
> pevma blog page of specialized expressions for BPF filtering where
> VLANs were concerned. I'm looking for some guidance.
Suricata is multi-tenant (per vlan rule vars for example) so besides the
bpf you can also try -
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Multi_Tenancy
with a local.rules where you would have a pass rule -
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ignoring_Traffic#pass-rules
to ignore traffic.
>
>
> I created a 'best guess' filter syntax and I'm sure it's very wrong.
>
> I'm asking for someone to help me get going in the right direction on
> this:
>
> Thanks in advance!!
> My guess at the filter follows:
>
> not((src net 10.200.104.0/25 and dst net 10.200.104.192/28) or ( src
> net 10.200.104.192/28 and dst net 10.200.104.0/25))
> or
> (not ((vlan and src net 10.200.104.0/25 and dst net
> 10.200.104.192/28) or (vlan and src net 10.200.104.192/28 and dst net
> 10.200.104.0/25)))
>
>
> Ideas?
You can try this and see if it does the job:
not((ip and src net 10.200.104.0/25 and dst net 10.200.104.192/28) or
(ip and src net 10.200.104.192/28 and dst net 10.200.104.0/25))
or
(not ((vlan and src net 10.200.104.0/25 and dst net 10.200.104.192/28)
or (vlan and src net 10.200.104.192/28 and dst net 10.200.104.0/25)))
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list