[Oisf-users] BPF Filter in af-packet Suricata 5.0.1
Peter Manev
petermanev at gmail.com
Fri Jan 10 08:17:48 UTC 2020
On Fri, Jan 10, 2020 at 1:56 AM Tiago Faria <tiago.faria.backups at gmail.com>
wrote:
> Hi list,
>
> I wanted to first check here before going into Redmine, but it appears
> that Suricata 5.0.1 is not processing/accepting "bpf-filter: <file>" under
> af-packet.
>
> Section of suricata.yaml:
>
> af-packet:
> - cluster-id: 1
> cluster-type: cluster_flow
> interface: enp2s0
> threads: auto
> tpacket-v3: 'yes'
> use-mmap: 'yes'
> bpf-filter: '/etc/suricata/capture-filter.bpf'
>
I think this spot is for the filter itself , for example
bpf-filter: not host 1.1.1.1 and not host 2.2.2.2
(for that specific interface enp2s0)
if you have a BPF file you can supply it on the start/command line like
suricata -F /path/to/bpf.file
>
> The content of capture-filter.bpf:
>
> not host 1.1.1.1 and
> not host 2.2.2.2
>
> As far as I could tell from the documentation both the content of the file
> and the yaml configuration should be OK.
>
> Any pointers?
>
> Thank you.
> T
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
--
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20200110/0a8fce1f/attachment.html>
More information about the Oisf-users
mailing list