[Oisf-users] Suricata bpf limitations? not statement

Jeremy MJ jskier at gmail.com
Mon Mar 7 17:47:13 UTC 2016


Thanks guys for getting back.

I tried a few ways of passing it (-F, yaml), but kept getting the same
results with erspan traffic flow. I got super motivated to get my test
environment running with rcdcap (to strip off erspan header and vlan
tags for suricata) and managed to get that to work. Since being able
to strip off the erspan and vlan tags, bpf works pointing to a bpf
file now.

So, time permitting, I'm working on weaving this back to erspan to see
if I can get the same results as I initially got, probably some time
this week.

Victor, thanks for the link, I came across that before as well, very helpful.

--
Jeremy MJ

On Sat, Mar 5, 2016 at 12:52 PM, Victor Julien <lists at inliniac.net> wrote:
>
> On 26-02-16 19:49, Jeremy MJ wrote:
> > Hi,
> >
> > Are there any limitations to the bpf filter, whether it be in the file
> > or yaml config? I have one using a not statement and it seems to bork
> > suricata (service runs but won't scan any traffic). I QCed it with
> > WireShark and tcpdump, and it works just fine. Also, checked that I'm
> > not blocking a gateway or proxy server. Using things like tcp and port
> > 80 work fine in suricata, seems specific to the not statement.
> >
> > I can send an obfuscated filter if interested. Basically, it's a group
> > of internal hosts (by ip accross the board):
> > not (host x OR host y....) and not net z/16. I tried playing with src
> > and dest for this too, but suricata won't see or analyze any traffic
> > when either bpf filter is used.
> >
> > Running suricata 3 on pfring, monitor only. I thought this my be
> > related to erspan, but this instance is working with traffic from
> > rspan.
>
> You may want to check how bpf and erspan interact by looking at the
> details of how the filter is created. See this post for an example with
> vlans:
> http://taosecurity.blogspot.nl/2008/12/bpf-for-ip-or-vlan-traffic.html
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net



More information about the Oisf-users mailing list