[Oisf-users] Suricata bpf limitations? not statement
Jeremy MJ
jskier at gmail.com
Wed Mar 9 15:37:44 UTC 2016
Interesting, I did a quick test with af-packet and the bpf filter,
this appears to work. I'll do some more testing on this.
--
Jeremy MJ
On Wed, Mar 9, 2016 at 3:22 AM, Eric Leblond <eric at regit.org> wrote:
> Hi,
>
> On Mon, 2016-03-07 at 11:47 -0600, Jeremy MJ wrote:
>> Thanks guys for getting back.
>>
>> I tried a few ways of passing it (-F, yaml), but kept getting the
>> same
>> results with erspan traffic flow. I got super motivated to get my
>> test
>> environment running with rcdcap (to strip off erspan header and vlan
>> tags for suricata) and managed to get that to work. Since being able
>> to strip off the erspan and vlan tags, bpf works pointing to a bpf
>> file now.
>
> Suricata is using pfring bfp filter ability so the limit encountered
> may be one of pfring. Maybe one pfring devel reading the ML could have
> a look.
>
> BR,
>
>> So, time permitting, I'm working on weaving this back to erspan to
>> see
>> if I can get the same results as I initially got, probably some time
>> this week.
>>
>> Victor, thanks for the link, I came across that before as well, very
>> helpful.
>>
>> --
>> Jeremy MJ
>>
>> On Sat, Mar 5, 2016 at 12:52 PM, Victor Julien <lists at inliniac.net>
>> wrote:
>> >
>> >
>> > On 26-02-16 19:49, Jeremy MJ wrote:
>> > >
>> > > Hi,
>> > >
>> > > Are there any limitations to the bpf filter, whether it be in the
>> > > file
>> > > or yaml config? I have one using a not statement and it seems to
>> > > bork
>> > > suricata (service runs but won't scan any traffic). I QCed it
>> > > with
>> > > WireShark and tcpdump, and it works just fine. Also, checked that
>> > > I'm
>> > > not blocking a gateway or proxy server. Using things like tcp and
>> > > port
>> > > 80 work fine in suricata, seems specific to the not statement.
>> > >
>> > > I can send an obfuscated filter if interested. Basically, it's a
>> > > group
>> > > of internal hosts (by ip accross the board):
>> > > not (host x OR host y....) and not net z/16. I tried playing with
>> > > src
>> > > and dest for this too, but suricata won't see or analyze any
>> > > traffic
>> > > when either bpf filter is used.
>> > >
>> > > Running suricata 3 on pfring, monitor only. I thought this my be
>> > > related to erspan, but this instance is working with traffic from
>> > > rspan.
>> > You may want to check how bpf and erspan interact by looking at the
>> > details of how the filter is created. See this post for an example
>> > with
>> > vlans:
>> > http://taosecurity.blogspot.nl/2008/12/bpf-for-ip-or-vlan-traffic.h
>> > tml
>> >
>> > --
>> > ---------------------------------------------
>> > Victor Julien
>> > http://www.inliniac.net/
>> > PGP: http://www.inliniac.net/victorjulien.asc
>> > ---------------------------------------------
>> >
>> > _______________________________________________
>> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.o
>> > rg
>> > Site: http://suricata-ids.org | Support: http://suricata-
>> > ids.org/support/
>> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf
>> > -users
>> > Suricata User Conference November 9-11 in Washington, DC: http://oi
>> > sfevents.net
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-
>> ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-u
>> sers
>> Suricata User Conference November 9-11 in Washington, DC: http://oisf
>> events.net
> --
> Eric Leblond <eric at regit.org>
>
>
More information about the Oisf-users
mailing list