[Oisf-users] Suricata bpf limitations? not statement

Eric Leblond eric at regit.org
Wed Mar 9 09:22:20 UTC 2016 

Hi,

On Mon, 2016-03-07 at 11:47 -0600, Jeremy MJ wrote:
> Thanks guys for getting back.
> 
> I tried a few ways of passing it (-F, yaml), but kept getting the
> same
> results with erspan traffic flow. I got super motivated to get my
> test
> environment running with rcdcap (to strip off erspan header and vlan
> tags for suricata) and managed to get that to work. Since being able
> to strip off the erspan and vlan tags, bpf works pointing to a bpf
> file now.

Suricata is using pfring bfp filter ability so the limit encountered
may be one of pfring. Maybe one pfring devel reading the ML could have
a look.

BR,

> So, time permitting, I'm working on weaving this back to erspan to
> see
> if I can get the same results as I initially got, probably some time
> this week.
> 
> Victor, thanks for the link, I came across that before as well, very
> helpful.
> 
> --
> Jeremy MJ
> 
> On Sat, Mar 5, 2016 at 12:52 PM, Victor Julien <lists at inliniac.net>
> wrote:
> > 
> > 
> > On 26-02-16 19:49, Jeremy MJ wrote:
> > > 
> > > Hi,
> > > 
> > > Are there any limitations to the bpf filter, whether it be in the
> > > file
> > > or yaml config? I have one using a not statement and it seems to
> > > bork
> > > suricata (service runs but won't scan any traffic). I QCed it
> > > with
> > > WireShark and tcpdump, and it works just fine. Also, checked that
> > > I'm
> > > not blocking a gateway or proxy server. Using things like tcp and
> > > port
> > > 80 work fine in suricata, seems specific to the not statement.
> > > 
> > > I can send an obfuscated filter if interested. Basically, it's a
> > > group
> > > of internal hosts (by ip accross the board):
> > > not (host x OR host y....) and not net z/16. I tried playing with
> > > src
> > > and dest for this too, but suricata won't see or analyze any
> > > traffic
> > > when either bpf filter is used.
> > > 
> > > Running suricata 3 on pfring, monitor only. I thought this my be
> > > related to erspan, but this instance is working with traffic from
> > > rspan.
> > You may want to check how bpf and erspan interact by looking at the
> > details of how the filter is created. See this post for an example
> > with
> > vlans:
> > http://taosecurity.blogspot.nl/2008/12/bpf-for-ip-or-vlan-traffic.h
> > tml
> > 
> > --
> > ---------------------------------------------
> > Victor Julien
> > http://www.inliniac.net/
> > PGP: http://www.inliniac.net/victorjulien.asc
> > ---------------------------------------------
> > 
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.o
> > rg
> > Site: http://suricata-ids.org | Support: http://suricata-
> > ids.org/support/
> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf
> > -users
> > Suricata User Conference November 9-11 in Washington, DC: http://oi
> > sfevents.net
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-
> ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-u
> sers
> Suricata User Conference November 9-11 in Washington, DC: http://oisf
> events.net
-- 
Eric Leblond <eric at regit.org>

More information about the Oisf-users mailing list