[Oisf-users] Suricata 4.1-beta1 and bpf filters

Peter Manev petermanev at gmail.com
Tue Jun 19 09:11:59 UTC 2018 


> On 19 Jun 2018, at 10:46, C. L. Martinez <carlopmart at gmail.com> wrote:
> 
> No, nothing. But in eve.json only appears logs like:
> 
> {"timestamp":"2018-06-19T07:39:39.798652+0000","event_type":"stats","stats":{"uptime":490,"capture":{"kernel_packets":642751,"kernel_drops":0,"bypassed":6133213300033},"decoder":{"pkts":643025,"bytes":47651302,"invalid":0,"ipv4":643025,"ipv6":0,"ethernet":643025,"raw":0,"null":0,"sll":0,"tcp":643025,"udp":0,"sctp":0,"icmpv4":0,"icmpv6":0,"ppp":0,"pppoe":0,"gre":0,"vlan":643025,"vlan_qinq":0,"ieee8021ah":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":74,"max_pkt_size":1058,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"tcp":288796,"udp":0,"icmpv4":0,"icmpv6":0,"spare":400000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":142475512},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":189559,"ssn_memcap_drop":0,"pseudo":0,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":329034,"synack":0,"rst":0,"midstream_pickups":0,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":0,"overlap":0,"overlap_diff_data":0,"insert_data_normal_fail":0,"insert_data_overlap_fail":0,"insert_list_fail":0,"memuse":18350080,"reassembly_memuse":2621440},"detect":{"engines":[{"id":0,"last_reload":"2018-06-19T07:31:42.602932+0000","rules_loaded":18078,"rules_failed":0}],"alert":0,"mpm_list":0,"nonmpm_list":1161,"fnonmpm_list":1158,"match_list":1158},"app_layer":{"flow":{"http":0,"ftp":0,"smtp":0,"tls":0,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"ftp-data":0,"failed_tcp":0,"dcerpc_udp":0,"dns_udp":0,"failed_udp":0},"tx":{"http":0,"ftp":0,"smtp":0,"tls":0,"ssh":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"ftp-data":0,"dcerpc_udp":0,"dns_udp":0},"expectations":0},"flow_mgr":{"closed_pruned":0,"new_pruned":245579,"est_pruned":0,"bypassed_pruned":0,"flows_checked":1935,"flows_notimeout":1935,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":64018,"rows_empty":298,"rows_busy":0,"rows_maxlen":5},"dns":{"memuse":0,"memcap_state":0,"memcap_global":0},"http":{"memuse":0,"memcap":0},"ftp":{"memuse":0,"memcap":0}}}
> 
> Only when suricata stops appears logs and flows as timeout like for example:
> 
> {"timestamp":"2018-06-19T07:39:39.796916+0000","flow_id":1970306366359069,"event_type":"flow","src_ip":" 192.168.5.253 ","src_port":43376,"dest_ip":"10.2.31.208","dest_port":80,"proto":"TCP","flow":{"pkts_toserver":2,"pkts_toclient":0,"bytes_toserver":156,"bytes_toclient":0,"start":"2018-06-19T07:38:56.378397+0000","end":"2018-06-19T07:38:56.378405+0000","age":0,"state":"new","reason":"shutdown","alerted":false},"tcp":{"tcp_flags":"02","tcp_flags_ts":"02","tcp_flags_tc":"00","syn":true,"state":"syn_sent"}}


If there are no errors or warnings in Suricata.log (or on the console/shell) when you start it with regards to the filter - it would mean that the filter is loaded by Suricata. 
Then I would guess - you probably need to test it out or recheck if it acts as expected (ex test from certain IP/network )

Thanks 


> 
>> On Tue, Jun 19, 2018 at 9:08 AM, Peter Manev <petermanev at gmail.com> wrote:
>> 
>> 
>> > On 19 Jun 2018, at 09:52, C. L. Martinez <carlopmart at gmail.com> wrote:
>> > 
>> > Hi all,
>> > 
>> >  I have problems with Suricata 4.1-beta1 and bpf filters. As an example:
>> > 
>> > (ip and (src host (192.168.5.1 or 192.168.5.30 or 192.168.5.31 or 192.168.5 250 or 192.168.5 251 or 192.168.5.252 or 192.168.5.253 or 192.168.5.250 or 192.168.5.251 or 192.168.5.252 or 192.168.5.253) and
>> >         (tcp dst port (22 or 25 or 80 or 443 or 445 or 8009 or 8080 or 8081 or 8082 or 8083 or 8084 or 8085 or 8086 or 8087 or 8088 or 8139 or 9443))) and
>> > not host ( 192.168.6.35 or 192.168.6.36))
>> > 
>> >  This filter works without problems in tcpdump, but suricata doesn't process it ... Suricata command line is:
>> > 
>> > suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --pfring=eno2 -vvv -k none -F /etc/suricata/filter_policy.conf
>> 
>> 
>> Any warnings/errs in the start command output ?
>> 
>> > 
>> > Any idea?
>> > _______________________________________________
>> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> > 
>> > Conference: https://suricon.net
>> > Trainings: https://suricata-ids.org/training/
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180619/f98a440c/attachment-0001.html>

More information about the Oisf-users mailing list