Packet Filter (BPF) not working / ignored

Hi Community.

I need some assistance getting BPF working.
We’re streaming from a MikroTik RouterOS firewall to Suricata 7.0.7 using trafr and -r /dev/stdin
sudo /bin/sh -c '/usr/bin/trafr -s | /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /run/suricata.pid -r /dev/stdin -v not host 10.10.111.200 -l /var/log/suricata/'
I’m trying to exclude our monitoring system which is scanning the networking via SNMP.

Even a simple filter like this seems to be ignored completely - I still see all traffic in the Suricata logs.
-v not host 10.10.111.200

Specifying the filter in file /etc/suricata/capture-filter.bpf also doesn’t work:
sudo /bin/sh -c '/usr/bin/trafr -s | /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /run/suricata.pid -r /dev/stdin -F /etc/suricata/capture-filter.bpf -l /var/log/suricata/'

What am I doing wrong, is this not supported for reading from pacp (-r) or is it even a BUG?

I’m thankful for any hint.

Best regards, Flo.

The BPF is supposed to the last part of the suricata commandline, so you could try moving it there. Alternatively you can put the filter in a file and load it from the commandline with -F <file path>.

Hi Victor,
thanks a lot for your fast response :slight_smile:

I already tried that by using a pbf file which also didn’t work (see my initial post above).

Even when I move it at the end, the filter is completely ignored:
sudo /bin/sh -c '/usr/bin/trafr -s | /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /run/suricata.pid -r /dev/stdin -l /var/log/suricata/ -v not host 10.10.111.200'

Same if I put -F /path/to/file.bpf at the end of the command:
sudo /bin/sh -c '/usr/bin/trafr -s | /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /run/suricata.pid -r /dev/stdin -l /var/log/suricata/ -F /etc/suricata/capture-filter.bpf'

It’s really strange - Anyone has an idea why this doesn’t work ?

You may have already tried this but I’ll ask. Can you use tcpdump -r - <your-bpf-filter> to see if you can the results you’re expecting?

1 Like

Hey @Jeff_Lucovsky - thanks.
Yes, tried that and it works with tcpdump…

Let’s see if Suricata is using the correct values for the BPF

Please run

/usr/bin/suricata -c /etc/suricata/suricata.yaml -l /var/log/suricata/  --dump-config -v not host 10.10.111.200 | grep -i bpf

/usr/bin/suricata -c /etc/suricata/suricata.yaml -l /var/log/suricata/  --dump-config -v -F /etc/suricata/capture-filter.bpf | grep -i  bpf

@Jeff_Lucovsky sorry for the late reply…

sudo /bin/sh -c '/usr/bin/trafr -s | /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /run/suricata.pid -r /dev/stdin -l /var/log/suricata/ --dump-config -v -F /etc/suricata/capture-filter.bpf' | grep -i  bpf
bpf-filter = not (src host 172.17.0.39 and udp and dst port 161)

sudo /bin/sh -c '/usr/bin/trafr -s | /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /run/suricata.pid -r /dev/stdin -l /var/log/suricata/ --dump-config -v not host 172.17.0.39'|grep -i bpf
bpf-filter = not host 172.17.0.39

Do the displayed bpf-filter values match the bpf you expect?

Yes, but they wont apply. Meaning: I see traffic from the host in eve.json / fast.log.

Just tried it again to make 100% sure:
sudo /bin/sh -c '/usr/bin/trafr -s | /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /run/suricata.pid -r /dev/stdin -l /var/log/suricata/ -v not host 172.17.0.39'

Notice: suricata: This is Suricata version 7.0.8 RELEASE running in USER mode
Info: cpu: CPUs/cores online: 8
Info: suricata: Setting engine mode to IDS mode by default
Info: logopenfile: fast output device (regular) initialized: fast.log
Info: logopenfile: eve-log output device (regular) initialized: eve.json
Warning: runmodes: eve module 'ikev2' has been replaced by 'ike'
Info: logopenfile: stats output device (regular) initialized: stats.log
Info: detect: 2 rule files processed. 95311 rules successfully loaded, 0 rules failed, 0
Info: threshold-config: Threshold config parsed: 0 rule(s) found
Info: detect: 95314 signatures processed. 1259 are IP-only rules, 4439 are inspecting packet payload, 89405 inspect application layer, 108 are decoder event only
Info: pcap: using bpf-filter "not host 172.17.0.39"
Info: pcap: Starting file run for /dev/stdin
Notice: threads: Threads created -> RX: 1 W: 8 FM: 1 FR: 1   Engine started.
Info: checksum: More than 1/10th of packets have an invalid checksum, assuming checksum offloading is used (128/1000)
Notice: detect: rule reload starting

The filter doesn’t work, I see traffic:

bpf filters definitely works with pcaps (-r)

I had kinda similar issue when i thought that i am crazy and bpf dont work for some reason, problem was that i had 2 instance of suricata running simultaneously, one with bpf working and one without bpf

I guess you can also check for that issue

I’m not able to replicate the failures you’re encountering.

We’ve verified that suricata is using the proper config value by displaying values with the --dump-config option.

Does your traffic is ERSPAN by any chance?