[prev in list] [next in list] [prev in thread] [next in thread]
List: oisf-users
Subject: Re: [Oisf-users] BPF Filter in af-packet Suricata 5.0.1
From: Tiago Faria <tiago.faria.backups () gmail ! com>
Date: 2020-01-10 17:29:58
Message-ID: CAF8FeX8SSQF+rjtYevZcM=dHgFH9HTr=jqYSDCUXbR=f1auKAw () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Thank you Peter! Done!
https://redmine.openinfosecfoundation.org/issues/3439
Referred back to this thread in the ticket. Thanks for the help!
On Fri, Jan 10, 2020 at 5:10 PM Peter Manev <petermanev@gmail.com> wrote:
>
>
> On Fri, Jan 10, 2020 at 12:58 PM Tiago Faria <
> tiago.faria.backups@gmail.com> wrote:
>
>> On Fri, Jan 10, 2020 at 10:20 AM Peter Manev <petermanev@gmail.com>
>> wrote:
>>
>>> When you start suri in verbose mode on the command line while
>>> specifying the file in suricata.yaml
>>> -> bpf-filter: '/etc/suricata/capture-filter.bpf'
>>> Do you have any errors /output with regards to that?
>>>
>>
>> When referring to a file:
>>
>> [12118] 10/1/2020 -- 11:41:29 - (source-af-packet.c:2274) <Error>
>> (AFPSetBPFFilter) -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Failed to compile
>> BPF "/etc/suricata/capture-filter.bpf": syntax error in filter expression:
>> syntax error
>> [12118] 10/1/2020 -- 11:41:29 - (source-af-packet.c:1507) <Error>
>> (ReceiveAFPLoop) -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init
>> AF_PACKET socket, fatal error
>>
>> If I replace that with a BPF expression, for example:
>>
>> bpf-filter: "not host 1.1.1.1"
>>
>> [12136] 10/1/2020 -- 11:44:27 - (source-af-packet.c:2261) <Info>
>> (AFPSetBPFFilter) -- Using BPF 'not host 1.1.1.1' on iface 'enp0s3'
>>
>> Calling the file with -F works as intended as well.
>>
>> Is it safe to assume there isn't a way of calling the file via
>> suricata.yaml?
>>
>
> It would make sense to be able to pass file as well just a filter I think
> per interface if needed - so i am voting for opening a ticket on that :)
>
>
>>
>>
>>>
>>>
>>>>
>>>> On Fri, 10 Jan 2020 at 08:18, Peter Manev <petermanev@gmail.com> wrote:
>>>>
>>>>>
>>>>>
>>>>> On Fri, Jan 10, 2020 at 1:56 AM Tiago Faria <
>>>>> tiago.faria.backups@gmail.com> wrote:
>>>>>
>>>>>> Hi list,
>>>>>>
>>>>>> I wanted to first check here before going into Redmine, but it
>>>>>> appears that Suricata 5.0.1 is not processing/accepting "bpf-filter:
>>>>>> <file>" under af-packet.
>>>>>>
>>>>>> Section of suricata.yaml:
>>>>>>
>>>>>> af-packet:
>>>>>> - cluster-id: 1
>>>>>> cluster-type: cluster_flow
>>>>>> interface: enp2s0
>>>>>> threads: auto
>>>>>> tpacket-v3: 'yes'
>>>>>> use-mmap: 'yes'
>>>>>> bpf-filter: '/etc/suricata/capture-filter.bpf'
>>>>>>
>>>>>
>>>>> I think this spot is for the filter itself , for example
>>>>> bpf-filter: not host 1.1.1.1 and not host 2.2.2.2
>>>>> (for that specific interface enp2s0)
>>>>>
>>>>> if you have a BPF file you can supply it on the start/command line
>>>>> like
>>>>> suricata -F /path/to/bpf.file
>>>>>
>>>>>
>>>>>>
>>>>>> The content of capture-filter.bpf:
>>>>>>
>>>>>> not host 1.1.1.1 and
>>>>>> not host 2.2.2.2
>>>>>>
>>>>>> As far as I could tell from the documentation both the content of the
>>>>>> file and the yaml configuration should be OK.
>>>>>>
>>>>>> Any pointers?
>>>>>>
>>>>>> Thank you.
>>>>>> T
>>>>>> _______________________________________________
>>>>>> Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org
>>>>>> Site: http://suricata-ids.org | Support:
>>>>>> http://suricata-ids.org/support/
>>>>>> List:
>>>>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>>>>
>>>>>> Conference: https://suricon.net
>>>>>> Trainings: https://suricata-ids.org/training/
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Regards,
>>>>> Peter Manev
>>>>>
>>>>
>>>
>>> --
>>> Regards,
>>> Peter Manev
>>>
>>
>
> --
> Regards,
> Peter Manev
>
[Attachment #5 (text/html)]
<div dir="ltr">Thank you Peter! Done!<div><br></div><div><a \
href="https://redmine.openinfosecfoundation.org/issues/3439">https://redmine.openinfosecfoundation.org/issues/3439</a><br></div><div><br></div><div>Referred \
back to this thread in the ticket. Thanks for the help!</div></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Jan 10, 2020 at 5:10 PM \
Peter Manev <<a href="mailto:petermanev@gmail.com">petermanev@gmail.com</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div \
dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On \
Fri, Jan 10, 2020 at 12:58 PM Tiago Faria <<a \
href="mailto:tiago.faria.backups@gmail.com" \
target="_blank">tiago.faria.backups@gmail.com</a>> wrote:<br></div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr">On Fri, Jan 10, 2020 \
at 10:20 AM Peter Manev <<a href="mailto:petermanev@gmail.com" \
target="_blank">petermanev@gmail.com</a>> wrote:<br></div><div \
class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div \
class="gmail_quote"><div>When you start suri in verbose mode on the command line \
while specifying the file in suricata.yaml<br><span style="color:rgb(80,0,80)">-> \
bpf-filter: '/etc/suricata/</span><span \
style="color:rgb(80,0,80)">capture-filter.bpf'<br></span>Do you have any errors \
/output with regards to \
that?<br></div></div></div></blockquote><div><br></div><div>When referring to a \
file:</div><div><br></div>[12118] 10/1/2020 -- 11:41:29 - (source-af-packet.c:2274) \
<Error> (AFPSetBPFFilter) -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Failed to \
compile BPF "/etc/suricata/capture-filter.bpf": syntax error in filter \
expression: syntax error<br>[12118] 10/1/2020 -- 11:41:29 - (source-af-packet.c:1507) \
<Error> (ReceiveAFPLoop) -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't \
init AF_PACKET socket, fatal error<br><div><br></div><div>If I replace that with a \
BPF expression, for example:</div><div><br></div><div>bpf-filter: "not host \
1.1.1.1"</div><div><br></div><div>[12136] 10/1/2020 -- 11:44:27 - \
(source-af-packet.c:2261) <Info> (AFPSetBPFFilter) -- Using BPF 'not host \
1.1.1.1' on iface 'enp0s3'</div><div><br></div><div>Calling the file with \
-F works as intended as well.</div><div><br></div><div>Is it safe to assume there \
isn't a way of calling the file via \
suricata.yaml?</div></div></div></blockquote><div><br>It would make sense to be able \
to pass file as well just a filter I think per interface if needed - so i am voting \
for opening a ticket on that :)<br> </div><blockquote class="gmail_quote" \
style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_quote"><div> \
<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div \
class="gmail_quote"><div> </div><blockquote class="gmail_quote" style="margin:0px \
0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, 10 Jan 2020 at 08:18, \
Peter Manev <<a href="mailto:petermanev@gmail.com" \
target="_blank">petermanev@gmail.com</a>> wrote:<br></div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><br></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Jan 10, 2020 at 1:56 AM \
Tiago Faria <<a href="mailto:tiago.faria.backups@gmail.com" \
target="_blank">tiago.faria.backups@gmail.com</a>> wrote:<br></div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi list,<div><br></div><div>I \
wanted to first check here before going into Redmine, but it appears that Suricata \
5.0.1 is not processing/accepting "bpf-filter: <file>" under \
af-packet. </div><div><br></div><div>Section of \
suricata.yaml:</div><div><br></div><div>af-packet:<br>- cluster-id: 1<br> \
cluster-type: cluster_flow<br> interface: enp2s0<br> threads: auto<br> \
tpacket-v3: 'yes'<br> use-mmap: 'yes'<br></div><div> \
bpf-filter: '/etc/suricata/capture-filter.bpf'</div></div></blockquote><div><br></div><div>I \
think this spot is for the filter itself , for example <br>bpf-filter: not host \
1.1.1.1 and not host 2.2.2.2<br>(for that specific interface enp2s0)<br><br>if you \
have a BPF file you can supply it on the start/command line like <br>suricata -F \
/path/to/bpf.file </div><div> </div><blockquote class="gmail_quote" \
style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><br></div><div>The content of \
capture-filter.bpf:</div><div><br></div><div>not host 1.1.1.1 and</div><div>not host \
2.2.2.2</div><div><br></div><div>As far as I could tell from the documentation both \
the content of the file and the yaml configuration should be OK. \
</div><div><br></div><div>Any pointers? </div><div><br></div><div>Thank \
you.</div><div>T</div></div> _______________________________________________<br>
Suricata IDS Users mailing list: <a \
href="mailto:oisf-users@openinfosecfoundation.org" \
target="_blank">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" \
target="_blank">http://suricata-ids.org</a> | Support: <a \
href="http://suricata-ids.org/support/" rel="noreferrer" \
target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" \
rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" \
target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" \
target="_blank">https://suricata-ids.org/training/</a></blockquote></div></div><div \
dir="ltr"><br clear="all"><div><br></div>-- <br><div dir="ltr"><div>Regards,</div> \
<div>Peter Manev</div></div></div> </blockquote></div></div>
</blockquote></div><br clear="all"><div><br></div>-- <br><div \
dir="ltr"><div>Regards,</div> <div>Peter Manev</div></div></div>
</blockquote></div></div>
</blockquote></div><br clear="all"><div><br></div>-- <br><div \
dir="ltr"><div>Regards,</div> <div>Peter Manev</div></div></div>
</blockquote></div>
[Attachment #6 (text/plain)]
_______________________________________________
Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Conference: https://suricon.net
Trainings: https://suricata-ids.org/training/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic