[Oisf-users] BPF Filter in af-packet Suricata 5.0.1

Fri Jan 10 09:39:13 UTC 2020

Hi Peter,

Thanks! In that case, isn’t there an option to specify a file with the
filter rules?

The documentation mentions “bpf-filter: <file>”, but I didn’t in fact find
any examples where a path is being used there.

On Fri, 10 Jan 2020 at 08:18, Peter Manev <petermanev at gmail.com> wrote:

>
>
> On Fri, Jan 10, 2020 at 1:56 AM Tiago Faria <tiago.faria.backups at gmail.com>
> wrote:
>
>> Hi list,
>>
>> I wanted to first check here before going into Redmine, but it appears
>> that Suricata 5.0.1 is not processing/accepting "bpf-filter: <file>" under
>> af-packet.
>>
>> Section of suricata.yaml:
>>
>> af-packet:
>> -   cluster-id: 1
>>     cluster-type: cluster_flow
>>     interface: enp2s0
>>     threads: auto
>>     tpacket-v3: 'yes'
>>     use-mmap: 'yes'
>>     bpf-filter: '/etc/suricata/capture-filter.bpf'
>>
>
> I think this spot is for the filter itself  , for example
> bpf-filter: not host 1.1.1.1 and not host 2.2.2.2
> (for that specific interface enp2s0)
>
> if you have a BPF file you can supply it on the start/command line like
> suricata -F /path/to/bpf.file
>
>
>>
>> The content of capture-filter.bpf:
>>
>> not host 1.1.1.1 and
>> not host 2.2.2.2
>>
>> As far as I could tell from the documentation both the content of the
>> file and the yaml configuration should be OK.
>>
>> Any pointers?
>>
>> Thank you.
>> T
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>> Conference: https://suricon.net
>> Trainings: https://suricata-ids.org/training/
>
>
>
> --
> Regards,
> Peter Manev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20200110/33b5be63/attachment.html>