[Oisf-users] Avoid inspecting intra lan traffic with BPF filter expression

Peter Manev petermanev at gmail.com
Thu Jun 30 16:11:07 UTC 2016 

On Thu, 2016-06-30 at 11:31 -0400, Chris Boley wrote:
> I have suricata IDPS setting between a Gig-E Dot1q trunk interface on
> a Cisco switch and a Router running dot1q interfaces like a router on
> a stick. I set it up in IPS bridge format. I have a bunch of small
> subnets.
> 
> I would like to do some tuning on my BPF filtering.
> 
> lets say for sake of discussion subnets of concern are:
> 
> When source is VLAN 1(10.200.104.0/25) destined for VLAN 2
> (10.200.104.192/28)
> 
>  I need suricata to not scan that traffic and vice versa.
> 
>  When source is VLAN 2 (10.200.104.192/28) destined for VLAN 1
> (10.200.104.0/25) I need suricata to not scan that traffic.
> 
> Then actually scan all other $HOME_NET traffic.
> 
> VLAN 1:
> Client / User Subnet
> 
> 
> VLAN 2:
> Server subnet
> 
> I have several other VLANS in the trunk as well, but it's fine that
> suricata scan's them.
> 
> Please bear in mind all traffic is VLAN tagged. I saw mentions on the
> pevma blog page of specialized expressions for BPF filtering where
> VLANs were concerned. I'm looking for some guidance.

Suricata is multi-tenant (per vlan rule vars for example) so besides the
bpf you can also try  - 
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Multi_Tenancy
with a local.rules where you would have a pass rule - 
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ignoring_Traffic#pass-rules
to ignore traffic. 

> 
> 
> I created a 'best guess' filter syntax and I'm sure it's very wrong. 
> 
> I'm asking for someone to help me get going in the right direction on
> this:
> 
> Thanks in advance!!
> My guess at the filter follows:
> 
> not((src net 10.200.104.0/25 and dst net 10.200.104.192/28) or ( src
> net 10.200.104.192/28 and dst net 10.200.104.0/25))
>     or
>    (not ((vlan and src net 10.200.104.0/25 and dst net
> 10.200.104.192/28) or (vlan and src net 10.200.104.192/28 and dst net
> 10.200.104.0/25)))
> 
> 
> Ideas?

You can try this and see if it does the job:
not((ip and src net 10.200.104.0/25 and dst net 10.200.104.192/28) or
(ip and src net 10.200.104.192/28 and dst net 10.200.104.0/25))
or
(not ((vlan and src net 10.200.104.0/25 and dst net 10.200.104.192/28)
or (vlan and src net 10.200.104.192/28 and dst net 10.200.104.0/25)))



> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net

-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list