[Oisf-users] Suricata bpf limitations? not statement

Victor Julien lists at inliniac.net
Sat Mar 5 18:52:46 UTC 2016


On 26-02-16 19:49, Jeremy MJ wrote:
> Hi,
> 
> Are there any limitations to the bpf filter, whether it be in the file
> or yaml config? I have one using a not statement and it seems to bork
> suricata (service runs but won't scan any traffic). I QCed it with
> WireShark and tcpdump, and it works just fine. Also, checked that I'm
> not blocking a gateway or proxy server. Using things like tcp and port
> 80 work fine in suricata, seems specific to the not statement.
> 
> I can send an obfuscated filter if interested. Basically, it's a group
> of internal hosts (by ip accross the board):
> not (host x OR host y....) and not net z/16. I tried playing with src
> and dest for this too, but suricata won't see or analyze any traffic
> when either bpf filter is used.
> 
> Running suricata 3 on pfring, monitor only. I thought this my be
> related to erspan, but this instance is working with traffic from
> rspan.

You may want to check how bpf and erspan interact by looking at the
details of how the filter is created. See this post for an example with
vlans:
http://taosecurity.blogspot.nl/2008/12/bpf-for-ip-or-vlan-traffic.html

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------




More information about the Oisf-users mailing list