[Oisf-users] BPF Filter in af-packet Suricata 5.0.1

Peter Manev petermanev at gmail.com
Fri Jan 10 10:20:25 UTC 2020 

On Fri, Jan 10, 2020 at 10:39 AM Tiago Faria <tiago.faria.backups at gmail.com>
wrote:

> Hi Peter,
>
> Thanks! In that case, isn’t there an option to specify a file with the
> filter rules?
>
> The documentation mentions “bpf-filter: <file>”, but I didn’t in fact find
> any examples where a path is being used there.
>

When you start suri in verbose mode on the command line  while
specifying the file in suricata.yaml
-> bpf-filter: '/etc/suricata/capture-filter.bpf'
Do you have any errors /output with regards to that?



>
> On Fri, 10 Jan 2020 at 08:18, Peter Manev <petermanev at gmail.com> wrote:
>
>>
>>
>> On Fri, Jan 10, 2020 at 1:56 AM Tiago Faria <
>> tiago.faria.backups at gmail.com> wrote:
>>
>>> Hi list,
>>>
>>> I wanted to first check here before going into Redmine, but it appears
>>> that Suricata 5.0.1 is not processing/accepting "bpf-filter: <file>" under
>>> af-packet.
>>>
>>> Section of suricata.yaml:
>>>
>>> af-packet:
>>> -   cluster-id: 1
>>>     cluster-type: cluster_flow
>>>     interface: enp2s0
>>>     threads: auto
>>>     tpacket-v3: 'yes'
>>>     use-mmap: 'yes'
>>>     bpf-filter: '/etc/suricata/capture-filter.bpf'
>>>
>>
>> I think this spot is for the filter itself  , for example
>> bpf-filter: not host 1.1.1.1 and not host 2.2.2.2
>> (for that specific interface enp2s0)
>>
>> if you have a BPF file you can supply it on the start/command line like
>> suricata -F /path/to/bpf.file
>>
>>
>>>
>>> The content of capture-filter.bpf:
>>>
>>> not host 1.1.1.1 and
>>> not host 2.2.2.2
>>>
>>> As far as I could tell from the documentation both the content of the
>>> file and the yaml configuration should be OK.
>>>
>>> Any pointers?
>>>
>>> Thank you.
>>> T
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support:
>>> http://suricata-ids.org/support/
>>> List:
>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>
>>> Conference: https://suricon.net
>>> Trainings: https://suricata-ids.org/training/
>>
>>
>>
>> --
>> Regards,
>> Peter Manev
>>
>

-- 
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20200110/832e64f5/attachment-0001.html>

More information about the Oisf-users mailing list