[Oisf-users] Suricata bpf limitations? not statement
Peter Manev
petermanev at gmail.com
Sat Mar 5 13:43:02 UTC 2016
On Fri, Feb 26, 2016 at 7:49 PM, Jeremy MJ <jskier at gmail.com> wrote:
> Hi,
>
> Are there any limitations to the bpf filter, whether it be in the file
> or yaml config? I have one using a not statement and it seems to bork
> suricata (service runs but won't scan any traffic). I QCed it with
> WireShark and tcpdump, and it works just fine. Also, checked that I'm
> not blocking a gateway or proxy server. Using things like tcp and port
> 80 work fine in suricata, seems specific to the not statement.
>
How do you pass the filter? (in yaml/file/cmd line)
Please feel free to share it (privately if you would like)
> I can send an obfuscated filter if interested. Basically, it's a group
> of internal hosts (by ip accross the board):
> not (host x OR host y....) and not net z/16. I tried playing with src
> and dest for this too, but suricata won't see or analyze any traffic
> when either bpf filter is used.
>
> Running suricata 3 on pfring, monitor only. I thought this my be
> related to erspan, but this instance is working with traffic from
> rspan.
>
> --
> Jeremy MJ
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list