Hello. I try to filter out specific traffic. More precisely a vlan .
I use AF-packet (IDS mode/TAP) with 2 processing threads on the capturing interface.
I added the bpf-filter: not vlan 571 and it doesn’t work (says in suricata.log Using BPF … on iface ens224) . (when I use for example IP filter it works just fine)
What am I doing wrong?
Thanks in advance.
OS: AlmaLinux 9.3
Kernel: 5.14.0-362.24.1.el9_3.x86_64
Suricata version 6.0.16
Can you share the full configuration and a pcap please?
I am sending you the Suricata configuration file. Sorry, I cannot provide you with a PCAP cause it contains sensitive data.
I only can give some screenshots, if this helps you. I have 2 Vlans, Suricata sees them and identifies them in the logs. You will in the section of the af-packet that I have defined a BPF Filter to block a specific VLAN and a specific IP. The problem is that even if I put the VLAN BPF Filter, it is not working.
suricata.yaml (76.8 KB)
How do you determine that your filter does not work? Are you still seeing EVE-JSON metadata or alerts for the combination of VLAN and IP that you are trying to filter?
Can you maybe temporarily remove the IP part of the filter and see if that changes anything?
How are you running Suricata? Can you provide the full command line of the suricata process as it is being run, e.g. via systemctl or equivalent?
Are there any other error messages or warnings in your log?
Have you disabled vlan offloading on your NIC (cf networking - Detect VLAN tagged packets using XDP eBPF - Stack Overflow)?
There might also be some magic with the syntax involved (cf the BPF filter dit not work with vlan packets - Stack Overflow)
Hi.
Yes, I am still seeing the VLAN tag in alerts. Even the VLAN I want to filter out. I ran only the VLAN BPF (without IP) filter and still was able to see the specific VLAN packets coming. I run it through systemd with
ExecStart=/sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid $OPTIONS
/etc/sysconfig/suricata
OPTIONS="--user suricata --af-packet"
I disabled the VLAN offloading because it was enabled( I disabled the rx-vlan-offload tx-vlan-offload. I couldn’t change the rx-vlan-filter (still on)). I used the bpf-filter not ( tcp and vlan 300) but still the same. In the suricata.log it says that the bpf filter has been loaded on the interface and I don’t get any other error. Suricata starts normally. For example when I added the tcp and vlan 300 I had an error that was saying that this expression rejects all packets (fatal error).
Thank you in advance, for your time and your guidance.
TBH I am a bit out of ideas now.
Your systemd ExecStart confirms that you’re actually using af-packet and are not overriding the interface to capture from on the command line, i.e. what is in your suricata.yaml is what is actually being used. I can’t see right now what the problem could be. Can you still provide a full log of the Suricata start?
I know that my organization is using the BPF filtering feature successfully (not on vlans though IIRC), so it’s not broken in principle. Maybe someone else has more of a clue?
When I use BPF filters with IP, port etc it is working just fine. Below is the suricata.log with enabled the not working BPF filter.
suricata.log (2.7 KB)