[Oisf-users] Avoid inspecting intra lan traffic with BPF filter expression

Peter Manev petermanev at gmail.com
Thu Jun 30 16:11:07 UTC 2016

On Thu, 2016-06-30 at 11:31 -0400, Chris Boley wrote:
> I have suricata IDPS setting between a Gig-E Dot1q trunk interface on
> a Cisco switch and a Router running dot1q interfaces like a router on
> a stick. I set it up in IPS bridge format. I have a bunch of small
> subnets.
> I would like to do some tuning on my BPF filtering.
> lets say for sake of discussion subnets of concern are:
> When source is VLAN 1( destined for VLAN 2
> (
>  I need suricata to not scan that traffic and vice versa.
>  When source is VLAN 2 ( destined for VLAN 1
> ( I need suricata to not scan that traffic.
> Then actually scan all other $HOME_NET traffic.
> VLAN 1:
> Client / User Subnet
> VLAN 2:
> Server subnet
> I have several other VLANS in the trunk as well, but it's fine that
> suricata scan's them.
> Please bear in mind all traffic is VLAN tagged. I saw mentions on the
> pevma blog page of specialized expressions for BPF filtering where
> VLANs were concerned. I'm looking for some guidance.

Suricata is multi-tenant (per vlan rule vars for example) so besides the
bpf you can also try  - 
with a local.rules where you would have a pass rule - 
to ignore traffic. 

> I created a 'best guess' filter syntax and I'm sure it's very wrong. 
> I'm asking for someone to help me get going in the right direction on
> this:
> Thanks in advance!!
> My guess at the filter follows:
> not((src net and dst net or ( src
> net and dst net
>     or
>    (not ((vlan and src net and dst net
> or (vlan and src net and dst net
> Ideas?

You can try this and see if it does the job:
not((ip and src net and dst net or
(ip and src net and dst net
(not ((vlan and src net and dst net
or (vlan and src net and dst net

> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net

Peter Manev

More information about the Oisf-users mailing list