BPF filter file with af_packet not functioning

ReignInChaos · May 4, 2020, 9:42pm

Looking for some assistance getting Suricata configuration to function with af_packet and setting a BPF filter file. I am setting bpf-filter: under af_packet in suricata.yaml however getting the error below:

(source-af-packet.c:2274) (AFPSetBPFFilter) – [ERRCODE: SC_ERR_AFP_CREATE(190)] - Failed to compile BPF “”: syntax error

I’ve tested with an inline BPF filter in the configuration and it seems to function.

Is setting the filename not an option in the configuration?

pevma · May 5, 2020, 6:13am

Not directly yet in the yaml config in af-packet Feature #3439: bpf-filter does not accept path/file - Suricata - Open Information Security Foundation
But you can specify it on the command line

suricata -F bp.filter

ReignInChaos · May 5, 2020, 11:55am

Understood and thanks for providing the ticket. I wasn’t able to deduce if this was being worked on or targeted for a release.

vjulien · May 5, 2020, 12:38pm

If you’re willing and able to test, see https://github.com/OISF/suricata/pull/4834

Topic		Replies	Views
How to specifying a BPF when using af-packet and running as a service (on ubuntu) Help	3	1959	April 4, 2021
Error load lb. bpf file when using load balancing for af-packet? Help ips	2	525	April 7, 2021
Xdp_filter - suricata Help suricata , xdp	10	676	June 1, 2023
Getting errors trying to analyze pcap file in offline mode Help suricata	3	736	April 17, 2023
XDP filter: skipping unrecognized data section Help	4	1226	January 28, 2021

BPF filter file with af_packet not functioning

Related topics