[Oisf-users] BPF Filter in af-packet Suricata 5.0.1

Peter Manev petermanev at gmail.com
Fri Jan 10 17:10:01 UTC 2020 

On Fri, Jan 10, 2020 at 12:58 PM Tiago Faria <tiago.faria.backups at gmail.com>
wrote:

> On Fri, Jan 10, 2020 at 10:20 AM Peter Manev <petermanev at gmail.com> wrote:
>
>> When you start suri in verbose mode on the command line  while
>> specifying the file in suricata.yaml
>> -> bpf-filter: '/etc/suricata/capture-filter.bpf'
>> Do you have any errors /output with regards to that?
>>
>
> When referring to a file:
>
> [12118] 10/1/2020 -- 11:41:29 - (source-af-packet.c:2274) <Error>
> (AFPSetBPFFilter) -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Failed to compile
> BPF "/etc/suricata/capture-filter.bpf": syntax error in filter expression:
> syntax error
> [12118] 10/1/2020 -- 11:41:29 - (source-af-packet.c:1507) <Error>
> (ReceiveAFPLoop) -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init
> AF_PACKET socket, fatal error
>
> If I replace that with a BPF expression, for example:
>
> bpf-filter: "not host 1.1.1.1"
>
> [12136] 10/1/2020 -- 11:44:27 - (source-af-packet.c:2261) <Info>
> (AFPSetBPFFilter) -- Using BPF 'not host 1.1.1.1' on iface 'enp0s3'
>
> Calling the file with -F works as intended as well.
>
> Is it safe to assume there isn't a way of calling the file via
> suricata.yaml?
>

It would make sense to be able to pass file as well just a filter I think
per interface if needed - so i am voting for opening a ticket on that :)


>
>
>>
>>
>>>
>>> On Fri, 10 Jan 2020 at 08:18, Peter Manev <petermanev at gmail.com> wrote:
>>>
>>>>
>>>>
>>>> On Fri, Jan 10, 2020 at 1:56 AM Tiago Faria <
>>>> tiago.faria.backups at gmail.com> wrote:
>>>>
>>>>> Hi list,
>>>>>
>>>>> I wanted to first check here before going into Redmine, but it appears
>>>>> that Suricata 5.0.1 is not processing/accepting "bpf-filter: <file>" under
>>>>> af-packet.
>>>>>
>>>>> Section of suricata.yaml:
>>>>>
>>>>> af-packet:
>>>>> -   cluster-id: 1
>>>>>     cluster-type: cluster_flow
>>>>>     interface: enp2s0
>>>>>     threads: auto
>>>>>     tpacket-v3: 'yes'
>>>>>     use-mmap: 'yes'
>>>>>     bpf-filter: '/etc/suricata/capture-filter.bpf'
>>>>>
>>>>
>>>> I think this spot is for the filter itself  , for example
>>>> bpf-filter: not host 1.1.1.1 and not host 2.2.2.2
>>>> (for that specific interface enp2s0)
>>>>
>>>> if you have a BPF file you can supply it on the start/command line like
>>>> suricata -F /path/to/bpf.file
>>>>
>>>>
>>>>>
>>>>> The content of capture-filter.bpf:
>>>>>
>>>>> not host 1.1.1.1 and
>>>>> not host 2.2.2.2
>>>>>
>>>>> As far as I could tell from the documentation both the content of the
>>>>> file and the yaml configuration should be OK.
>>>>>
>>>>> Any pointers?
>>>>>
>>>>> Thank you.
>>>>> T
>>>>> _______________________________________________
>>>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>>>> Site: http://suricata-ids.org | Support:
>>>>> http://suricata-ids.org/support/
>>>>> List:
>>>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>>>
>>>>> Conference: https://suricon.net
>>>>> Trainings: https://suricata-ids.org/training/
>>>>
>>>>
>>>>
>>>> --
>>>> Regards,
>>>> Peter Manev
>>>>
>>>
>>
>> --
>> Regards,
>> Peter Manev
>>
>

-- 
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20200110/d7306233/attachment.html>

More information about the Oisf-users mailing list