[Oisf-users] BPF Filter in af-packet Suricata 5.0.1

Tiago Faria tiago.faria.backups at gmail.com
Fri Jan 10 11:59:16 UTC 2020 

On Fri, Jan 10, 2020 at 10:20 AM Peter Manev <petermanev at gmail.com> wrote:

> When you start suri in verbose mode on the command line  while
> specifying the file in suricata.yaml
> -> bpf-filter: '/etc/suricata/capture-filter.bpf'
> Do you have any errors /output with regards to that?
>

When referring to a file:

[12118] 10/1/2020 -- 11:41:29 - (source-af-packet.c:2274) <Error>
(AFPSetBPFFilter) -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Failed to compile
BPF "/etc/suricata/capture-filter.bpf": syntax error in filter expression:
syntax error
[12118] 10/1/2020 -- 11:41:29 - (source-af-packet.c:1507) <Error>
(ReceiveAFPLoop) -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init
AF_PACKET socket, fatal error

If I replace that with a BPF expression, for example:

bpf-filter: "not host 1.1.1.1"

[12136] 10/1/2020 -- 11:44:27 - (source-af-packet.c:2261) <Info>
(AFPSetBPFFilter) -- Using BPF 'not host 1.1.1.1' on iface 'enp0s3'

Calling the file with -F works as intended as well.

Is it safe to assume there isn't a way of calling the file via
suricata.yaml?


>
>
>>
>> On Fri, 10 Jan 2020 at 08:18, Peter Manev <petermanev at gmail.com> wrote:
>>
>>>
>>>
>>> On Fri, Jan 10, 2020 at 1:56 AM Tiago Faria <
>>> tiago.faria.backups at gmail.com> wrote:
>>>
>>>> Hi list,
>>>>
>>>> I wanted to first check here before going into Redmine, but it appears
>>>> that Suricata 5.0.1 is not processing/accepting "bpf-filter: <file>" under
>>>> af-packet.
>>>>
>>>> Section of suricata.yaml:
>>>>
>>>> af-packet:
>>>> -   cluster-id: 1
>>>>     cluster-type: cluster_flow
>>>>     interface: enp2s0
>>>>     threads: auto
>>>>     tpacket-v3: 'yes'
>>>>     use-mmap: 'yes'
>>>>     bpf-filter: '/etc/suricata/capture-filter.bpf'
>>>>
>>>
>>> I think this spot is for the filter itself  , for example
>>> bpf-filter: not host 1.1.1.1 and not host 2.2.2.2
>>> (for that specific interface enp2s0)
>>>
>>> if you have a BPF file you can supply it on the start/command line like
>>> suricata -F /path/to/bpf.file
>>>
>>>
>>>>
>>>> The content of capture-filter.bpf:
>>>>
>>>> not host 1.1.1.1 and
>>>> not host 2.2.2.2
>>>>
>>>> As far as I could tell from the documentation both the content of the
>>>> file and the yaml configuration should be OK.
>>>>
>>>> Any pointers?
>>>>
>>>> Thank you.
>>>> T
>>>> _______________________________________________
>>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>>> Site: http://suricata-ids.org | Support:
>>>> http://suricata-ids.org/support/
>>>> List:
>>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>>
>>>> Conference: https://suricon.net
>>>> Trainings: https://suricata-ids.org/training/
>>>
>>>
>>>
>>> --
>>> Regards,
>>> Peter Manev
>>>
>>
>
> --
> Regards,
> Peter Manev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20200110/e66a4600/attachment.html>

More information about the Oisf-users mailing list