[Oisf-users] BPF Filter in af-packet Suricata 5.0.1

Tiago Faria tiago.faria.backups at gmail.com
Fri Jan 10 17:29:58 UTC 2020


Thank you Peter! Done!

https://redmine.openinfosecfoundation.org/issues/3439

Referred back to this thread in the ticket. Thanks for the help!

On Fri, Jan 10, 2020 at 5:10 PM Peter Manev <petermanev at gmail.com> wrote:

>
>
> On Fri, Jan 10, 2020 at 12:58 PM Tiago Faria <
> tiago.faria.backups at gmail.com> wrote:
>
>> On Fri, Jan 10, 2020 at 10:20 AM Peter Manev <petermanev at gmail.com>
>> wrote:
>>
>>> When you start suri in verbose mode on the command line  while
>>> specifying the file in suricata.yaml
>>> -> bpf-filter: '/etc/suricata/capture-filter.bpf'
>>> Do you have any errors /output with regards to that?
>>>
>>
>> When referring to a file:
>>
>> [12118] 10/1/2020 -- 11:41:29 - (source-af-packet.c:2274) <Error>
>> (AFPSetBPFFilter) -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Failed to compile
>> BPF "/etc/suricata/capture-filter.bpf": syntax error in filter expression:
>> syntax error
>> [12118] 10/1/2020 -- 11:41:29 - (source-af-packet.c:1507) <Error>
>> (ReceiveAFPLoop) -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init
>> AF_PACKET socket, fatal error
>>
>> If I replace that with a BPF expression, for example:
>>
>> bpf-filter: "not host 1.1.1.1"
>>
>> [12136] 10/1/2020 -- 11:44:27 - (source-af-packet.c:2261) <Info>
>> (AFPSetBPFFilter) -- Using BPF 'not host 1.1.1.1' on iface 'enp0s3'
>>
>> Calling the file with -F works as intended as well.
>>
>> Is it safe to assume there isn't a way of calling the file via
>> suricata.yaml?
>>
>
> It would make sense to be able to pass file as well just a filter I think
> per interface if needed - so i am voting for opening a ticket on that :)
>
>
>>
>>
>>>
>>>
>>>>
>>>> On Fri, 10 Jan 2020 at 08:18, Peter Manev <petermanev at gmail.com> wrote:
>>>>
>>>>>
>>>>>
>>>>> On Fri, Jan 10, 2020 at 1:56 AM Tiago Faria <
>>>>> tiago.faria.backups at gmail.com> wrote:
>>>>>
>>>>>> Hi list,
>>>>>>
>>>>>> I wanted to first check here before going into Redmine, but it
>>>>>> appears that Suricata 5.0.1 is not processing/accepting "bpf-filter:
>>>>>> <file>" under af-packet.
>>>>>>
>>>>>> Section of suricata.yaml:
>>>>>>
>>>>>> af-packet:
>>>>>> -   cluster-id: 1
>>>>>>     cluster-type: cluster_flow
>>>>>>     interface: enp2s0
>>>>>>     threads: auto
>>>>>>     tpacket-v3: 'yes'
>>>>>>     use-mmap: 'yes'
>>>>>>     bpf-filter: '/etc/suricata/capture-filter.bpf'
>>>>>>
>>>>>
>>>>> I think this spot is for the filter itself  , for example
>>>>> bpf-filter: not host 1.1.1.1 and not host 2.2.2.2
>>>>> (for that specific interface enp2s0)
>>>>>
>>>>> if you have a BPF file you can supply it on the start/command line
>>>>> like
>>>>> suricata -F /path/to/bpf.file
>>>>>
>>>>>
>>>>>>
>>>>>> The content of capture-filter.bpf:
>>>>>>
>>>>>> not host 1.1.1.1 and
>>>>>> not host 2.2.2.2
>>>>>>
>>>>>> As far as I could tell from the documentation both the content of the
>>>>>> file and the yaml configuration should be OK.
>>>>>>
>>>>>> Any pointers?
>>>>>>
>>>>>> Thank you.
>>>>>> T
>>>>>> _______________________________________________
>>>>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>>>>> Site: http://suricata-ids.org | Support:
>>>>>> http://suricata-ids.org/support/
>>>>>> List:
>>>>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>>>>
>>>>>> Conference: https://suricon.net
>>>>>> Trainings: https://suricata-ids.org/training/
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Regards,
>>>>> Peter Manev
>>>>>
>>>>
>>>
>>> --
>>> Regards,
>>> Peter Manev
>>>
>>
>
> --
> Regards,
> Peter Manev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20200110/b9b6834f/attachment-0001.html>


More information about the Oisf-users mailing list