How to specifying a BPF when using af-packet and running as a service (on ubuntu)

greemi01 · March 9, 2021, 3:41pm

Hi,

We are running Suricata as a service and using af-packet mode. We would also like to specify a BPF.

I know that I can do it with by launching Suricata manually and putting the BPF on the command line.

I see that there is a known issue that the bpf-filter cannot be set in the suricata.yaml file (BPF filter file with af_packet not functioning)

I don’t see an obvious way to set this in the /etc/default/suricata file

Is there a way to specify the BPF filter when launching as a service? I can always make a new service with the correct command line, but it does not seem to be so nice.

Thanks,

Is there a way to get the desired effect while using a service ?

Thanks

masual · March 11, 2021, 4:32pm

Do you mean something like this: https://suricata.readthedocs.io/en/suricata-6.0.0/capture-hardware/ebpf-xdp.html#setup-ebpf-bypass

  - interface: eth3
      threads: 16
      cluster-id: 97
      cluster-type: cluster_qm # symmetric RSS hashing is mandatory to use this mode
      # eBPF file containing a 'filter' function that will be inserted into the
      # kernel and used as packet filter function
      ebpf-filter-file:  /usr/libexec/suricata/ebpf/bypass_filter.bpf
      bypass: yes
      use-mmap: yes
      ring-size: 200000

greemi01 · March 11, 2021, 4:41pm

We’ll give it a try … thanks

greemi01 · April 4, 2021, 11:25am

It is also solve with bpf-filter: “…” (I had originannly forgotten the ")

Topic		Replies	Views
BPF filter file with af_packet not functioning Help	3	2152	May 5, 2020
Packet Filter (BPF) not working / ignored suricata	13	78	March 13, 2025
Error load lb. bpf file when using load balancing for af-packet? Help ips	2	531	April 7, 2021
AF_Packets using only one capture thread Help ips	3	2026	April 5, 2021
Xdp_filter - suricata Help suricata , xdp	10	685	June 1, 2023

How to specifying a BPF when using af-packet and running as a service (on ubuntu)

Related topics