[Oisf-users] BPF filter for a mid/high traffic throughput

Nelson, Cooper cnelson at ucsd.edu
Wed Dec 19 19:33:05 UTC 2018

I'm pretty sure that is my old bpf filter from my prior sensor.  That will only work for HTTP on port 80, as the hex magic at the end translates to 'HTTP'.  

As mentioned, using 4.1.1 with the Hyperscan engine should be able to run the full ETPRO ruleset on that server, assuming it’s a modern system with AVX support. 


-----Original Message-----
From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org> On Behalf Of Carlos Lopez
Sent: Tuesday, December 18, 2018 10:43 PM
To: oisf users <oisf-users at openinfosecfoundation.org>
Subject: [Oisf-users] BPF filter for a mid/high traffic throughput

Hi all,

I need to monitor a network with a 4-5GiB traffic throughout per media with one Suricata 4.1.0 (under CentOS 7.6) sensor installed in a host with 64GB RAM and 16 phys cores. To avoid losing packets and/or CPU power analyzing large packets, I am thinking to capture  all client traffic, SYN/FIN packets and the first packet of server responses (for all protocols). For example, for http requests a BPF filter that seems to work is:

(tcp dst port 80 or (tcp src port 80 and (tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x48545450))))

Is this approach correct? But If I would do the same for all tcp and udp ports, is this bpf filter ok:
(tcp and (tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x48545450)) or udp) ?

C. L. Martinez
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

Conference: https://suricon.net
Trainings: https://suricata-ids.org/training/

More information about the Oisf-users mailing list