[prev in list] [next in list] [prev in thread] [next in thread]
List: oisf-users
Subject: Re: [Oisf-users] Suricata / only public trafic
From: Amrith Z <amrith () hotmail ! fr>
Date: 2011-09-01 9:42:38
Message-ID: BAY161-W1765733633C731FD37B97DB1190 () phx ! gbl
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi,
I changed hardware. It seems to work now! No idea why...
But I don't have the msg regarding the bpf filter during startup :
[3049] 1/9/2011 -- 12:37:35 - (suricata.c:440) <Info> (main) -- This is Suricata \
version 1.1beta1 [3049] 1/9/2011 -- 12:37:35 - (util-cpu.c:171) <Info> \
(UtilCpuPrintSummary) -- CPUs/cores online: 2
So I'm using 1.1beta1. Should I change ?
Do you think it is possible to say in the bpf filter that I want the alerts only when \
the source OR the destination is a public IP ? I think this type of configuration can \
be very relevent for some case.
Thx Victor !
> Date: Wed, 31 Aug 2011 11:01:49 +0200
> From: victor@inliniac.net
> To: amrith@hotmail.fr
> CC: oisf-users@openinfosecfoundation.org
> Subject: Re: [Oisf-users] Suricata / only public trafic
>
> I just tested it and it works fine for me. During startup I have the
> following message:
>
> [16395] 31/8/2011 -- 10:56:30 - (source-pcap.c:459) <Info>
> (ReceivePcapThreadInit) -- using bpf-filter "not net 192.168.0.0/16"
>
> Can you confirm you have a similar message?
>
> Also, what versions of Suricata and libpcap are you using?
>
> Cheers,
> Victor
>
> On 08/30/2011 01:44 PM, Amrith Z wrote:
> >
> > Yes. This is the last line of fast.log :
> >
> > 08/30/2011-11:00:01.219120 [**] [1:366:7] GPL ICMP_INFO PING *NIX [**] \
> > [Classification: Misc activity] [Priority: 3] {ICMP} 172.18.5.10:8 -> \
> > 172.18.8.6:0
> > Thx Victor.
> >
> > > Date: Tue, 30 Aug 2011 11:07:34 +0200
> > > From: victor@inliniac.net
> > > To: oisf-users@openinfosecfoundation.org
> > > Subject: Re: [Oisf-users] Suricata / only public trafic
> > >
> > > On 08/30/2011 11:03 AM, Amrith Z wrote:
> > > >
> > > > Thx for answering!
> > > >
> > > >
> > > >
> > > > I changed the bpf filter the way you said it, and I have still logs from my \
> > > > internal network.
> > >
> > > Can you post an alert from the fast.log?
> > >
> > > Regards,
> > > Victor
> > >
> > > --
> > > ---------------------------------------------
> > > Victor Julien
> > > http://www.inliniac.net/
> > > PGP: http://www.inliniac.net/victorjulien.asc
> > > ---------------------------------------------
> > >
> > > _______________________________________________
> > > Oisf-users mailing list
> > > Oisf-users@openinfosecfoundation.org
> > > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
[Attachment #5 (text/html)]
<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Tahoma
}
--></style>
</head>
<body class='hmmessage'><div dir='ltr'>
Hi,<br><br>I changed hardware. It seems to work now! No idea why... <br>But I don't \
have the msg regarding the bpf filter during startup : <br><br>[3049] 1/9/2011 -- \
12:37:35 - (suricata.c:440) <Info> (main) -- This is Suricata version \
1.1beta1<br>[3049] 1/9/2011 -- 12:37:35 - (util-cpu.c:171) <Info> \
(UtilCpuPrintSummary) -- CPUs/cores online: 2<br><br>So I'm using 1.1beta1. Should I \
change ?<br><br>Do you think it is possible to say in the bpf filter that I want the \
alerts only when the source OR the destination is a public IP ? I think this type of \
configuration can be very relevent for some case. <br><br>Thx Victor \
!<br><br><br><div>> Date: Wed, 31 Aug 2011 11:01:49 +0200<br>> From: \
victor@inliniac.net<br>> To: amrith@hotmail.fr<br>> CC: \
oisf-users@openinfosecfoundation.org<br>> Subject: Re: [Oisf-users] Suricata / \
only public trafic<br>> <br>> I just tested it and it works fine for me. During \
startup I have the<br>> following message:<br>> <br>> [16395] 31/8/2011 -- \
10:56:30 - (source-pcap.c:459) <Info><br>> (ReceivePcapThreadInit) -- using \
bpf-filter "not net 192.168.0.0/16"<br>> <br>> Can you confirm you have a \
similar message?<br>> <br>> Also, what versions of Suricata and libpcap are you \
using?<br>> <br>> Cheers,<br>> Victor<br>> <br>> On 08/30/2011 01:44 \
PM, Amrith Z wrote:<br>> > <br>> > Yes. This is the last line of fast.log \
: <br>> > <br>> > 08/30/2011-11:00:01.219120 [**] [1:366:7] GPL \
ICMP_INFO PING *NIX [**] [Classification: Misc activity] [Priority: 3] {ICMP} \
172.18.5.10:8 -> 172.18.8.6:0<br>> > <br>> > Thx Victor.<br>> > \
<br>> >> Date: Tue, 30 Aug 2011 11:07:34 +0200<br>> >> From: \
victor@inliniac.net<br>> >> To: oisf-users@openinfosecfoundation.org<br>> \
>> Subject: Re: [Oisf-users] Suricata / only public trafic<br>> \
>><br>> >> On 08/30/2011 11:03 AM, Amrith Z wrote:<br>> \
>>><br>> >>> Thx for answering!<br>> >>><br>> \
>>><br>> >>><br>> >>> I changed the bpf filter the \
way you said it, and I have still logs from my internal network.<br>> \
>><br>> >> Can you post an alert from the fast.log?<br>> \
>><br>> >> Regards,<br>> >> Victor<br>> >><br>> \
>> -- <br>> >> ---------------------------------------------<br>> \
>> Victor Julien<br>> >> http://www.inliniac.net/<br>> >> \
PGP: http://www.inliniac.net/victorjulien.asc<br>> >> \
---------------------------------------------<br>> >><br>> >> \
_______________________________________________<br>> >> Oisf-users mailing \
list<br>> >> Oisf-users@openinfosecfoundation.org<br>> >> \
http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users<br>> > \
<br>> <br>> <br>> -- <br>> \
---------------------------------------------<br>> Victor Julien<br>> \
http://www.inliniac.net/<br>> PGP: \
http://www.inliniac.net/victorjulien.asc<br>> \
---------------------------------------------<br>> <br></div> \
</div></body> </html>
_______________________________________________
Oisf-users mailing list
Oisf-users@openinfosecfoundation.org
http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic