I need some assistance getting BPF working.
We’re streaming from a MikroTik RouterOS firewall to Suricata 7.0.7 using trafr and -r /dev/stdin sudo /bin/sh -c '/usr/bin/trafr -s | /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /run/suricata.pid -r /dev/stdin -v not host 10.10.111.200 -l /var/log/suricata/'
I’m trying to exclude our monitoring system which is scanning the networking via SNMP.
Even a simple filter like this seems to be ignored completely - I still see all traffic in the Suricata logs. -v not host 10.10.111.200
Specifying the filter in file /etc/suricata/capture-filter.bpf also doesn’t work: sudo /bin/sh -c '/usr/bin/trafr -s | /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /run/suricata.pid -r /dev/stdin -F /etc/suricata/capture-filter.bpf -l /var/log/suricata/'
What am I doing wrong, is this not supported for reading from pacp (-r) or is it even a BUG?
The BPF is supposed to the last part of the suricata commandline, so you could try moving it there. Alternatively you can put the filter in a file and load it from the commandline with -F <file path>.
I already tried that by using a pbf file which also didn’t work (see my initial post above).
Even when I move it at the end, the filter is completely ignored: sudo /bin/sh -c '/usr/bin/trafr -s | /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /run/suricata.pid -r /dev/stdin -l /var/log/suricata/ -v not host 10.10.111.200'
Same if I put -F /path/to/file.bpf at the end of the command: sudo /bin/sh -c '/usr/bin/trafr -s | /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /run/suricata.pid -r /dev/stdin -l /var/log/suricata/ -F /etc/suricata/capture-filter.bpf'
Just tried it again to make 100% sure: sudo /bin/sh -c '/usr/bin/trafr -s | /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /run/suricata.pid -r /dev/stdin -l /var/log/suricata/ -v not host 172.17.0.39'
Notice: suricata: This is Suricata version 7.0.8 RELEASE running in USER mode
Info: cpu: CPUs/cores online: 8
Info: suricata: Setting engine mode to IDS mode by default
Info: logopenfile: fast output device (regular) initialized: fast.log
Info: logopenfile: eve-log output device (regular) initialized: eve.json
Warning: runmodes: eve module 'ikev2' has been replaced by 'ike'
Info: logopenfile: stats output device (regular) initialized: stats.log
Info: detect: 2 rule files processed. 95311 rules successfully loaded, 0 rules failed, 0
Info: threshold-config: Threshold config parsed: 0 rule(s) found
Info: detect: 95314 signatures processed. 1259 are IP-only rules, 4439 are inspecting packet payload, 89405 inspect application layer, 108 are decoder event only
Info: pcap: using bpf-filter "not host 172.17.0.39"
Info: pcap: Starting file run for /dev/stdin
Notice: threads: Threads created -> RX: 1 W: 8 FM: 1 FR: 1 Engine started.
Info: checksum: More than 1/10th of packets have an invalid checksum, assuming checksum offloading is used (128/1000)
Notice: detect: rule reload starting
I had kinda similar issue when i thought that i am crazy and bpf dont work for some reason, problem was that i had 2 instance of suricata running simultaneously, one with bpf working and one without bpf