[Oisf-users] BPF filter in socket mode
Francis Trudeau
trudeauf at gmail.com
Fri Jan 10 15:59:42 UTC 2020
When I run Suricata with a bad BPF it errors like such:
frantrudeau at researchvm:~$
/opt/suricata/suricata-src/suricata-5.0.1/src/suricata 'bad bpf
filter' -l /var/log/suricata -c
/etc/suricata/suricata.5.0.x.local.yaml -r /tmp/test.pcap
[10207] 10/1/2020 -- 08:54:27 - (suricata.c:1084) <Notice>
(LogVersion) -- This is Suricata version 5.0.1 RELEASE running in USER
mode
[10221] 10/1/2020 -- 08:54:27 - (source-pcap-file-helper.c:183)
<Error> (InitPcapFile) -- [ERRCODE: SC_ERR_BPF(127)] - bpf compilation
error syntax error in filter expression: syntax error for
/tmp/test.pcap
Which is expected. However, when I start Suricata in socket mode, it
does not error upon invocation:
frantrudeau at researchvm:~$
/opt/suricata/suricata-src/suricata-5.0.1/src/suricata 'bad bpf
filter' -c /etc/suricata/suricata.5.0.x.daemon.yaml
--unix-socket=/tmp/patpoopysocket
[10078] 10/1/2020 -- 08:51:21 - (suricata.c:1084) <Notice>
(LogVersion) -- This is Suricata version 5.0.1 RELEASE running in
SYSTEM mode
[10078] 10/1/2020 -- 08:52:23 - (tm-threads.c:2165) <Notice>
(TmThreadWaitOnThreadInit) -- all 0 packet processing threads, 0
management threads initialized, engine started.
It does error when given a pcap:
[10320] 10/1/2020 -- 08:58:29 - (source-pcap-file-helper.c:183)
<Error> (InitPcapFile) -- [ERRCODE: SC_ERR_BPF(127)] - bpf compilation
error syntax error in filter expression: syntax error for
/tmp/test.pcap
Is this a bug or expected behavior?
-FT
More information about the Oisf-users
mailing list