Support #2642
closedignoring/drop GRE or MPLS protole into Suricata IDS
Added by lolilol party about 6 years ago. Updated over 5 years ago.
Description
Hello,
I have installed suricata IDS in my compute.
The probe works well with init.d (/ usr / bin / suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --af-packet -D -vvv) which will read the multiple interfaces defined in the `af-packet` section in the /etc/suricata/suricata.yaml file
but, I have to filter some low-level protocol, like the GRE protocol or the MLPS over UDP, and that I can not.
I did multiple tests but I did not succeed
Updated by Victor Julien about 6 years ago
- Tracker changed from Bug to Support
- Priority changed from High to Normal
- Effort deleted (
high)
Sounds like something for a BPF? A filter like 'not proto 47' to ignore GRE. MPLS can probably done in a similar way.
Updated by lolilol party about 6 years ago
Victor Julien wrote:
Sounds like something for a BPF? A filter like 'not proto 47' to ignore GRE. MPLS can probably done in a similar way.
thanks for you replying
where can I add this filter please ? :)
Updated by lolilol party about 6 years ago
Victor Julien wrote:
https://suricata.readthedocs.io/en/latest/performance/ignoring-traffic.html#capture-filters-bpf
I already try that, but it doesn't work, it just tcp, udp, and icpm protocol work :(((
because, whand I tried gre protocol, the suricata service doest restart and I got I error. :((
Updated by lolilol party about 6 years ago
lolilol party wrote:
Victor Julien wrote:
https://suricata.readthedocs.io/en/latest/performance/ignoring-traffic.html#capture-filters-bpf
I already try that, but it doesn't work, it just tcp, udp, and icpm protocol work :(((
because, whend I tried gre protocol, the suricata service doest not restart and I got an error. :((
Updated by Victor Julien about 6 years ago
Can you show what you tried so far? I have used a gre bpf quite recently, so at least that part should work.
Updated by lolilol party about 6 years ago
Victor Julien wrote:
Can you show what you tried so far? I have used a gre bpf quite recently, so at least that part should work.
yes,
/etc/init.d/suricata
SURICATA_OPTIONS=" -c $SURCONF --pidfile $PIDFILE $LISTEN_OPTIONS -D -vvv $USER_SWITCH not gre"
/var/log:suricata.log
15/10/2018 -- 09:08:34 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Filter compilation failed.
15/10/2018 -- 09:08:34 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Set AF_PACKET bpf filter "not gre" failed.
15/10/2018 -- 09:08:34 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error
Updated by Victor Julien about 6 years ago
Can you try my suggestion from comment #1 above? 'not proto 47'
Updated by lolilol party about 6 years ago
Victor Julien wrote:
Can you try my suggestion from comment #1 above? 'not proto 47'
yes I did that, after search about BPF
--af-packet -D -vvv not (tcp and udp port 47)
I also find, this
l4proto <protocol>
where <protocol> is either a protocol number or a name.
so what is the better between above and below :
not (l4proto gre and mpls)
but above rules, does not work :(
Updated by lolilol party about 6 years ago
lolilol party wrote:
Victor Julien wrote:
Can you try my suggestion from comment #1 above? 'not proto 47'
yes I did that, after search about BPF
[...]I also find, this
[...]so what is the better between above and below :
not (l4proto gre and mpls-in-ip)
but above rules, does not work :(
Updated by lolilol party about 6 years ago
forget my above post,
I try this 'not proto 47', so it is good, now for mpls, I want to filtre mlps above udp protocol any idea ?
because, juste 'not proto 47 and not mpls' it will look at the standard location, above ethernet
Updated by Victor Julien almost 6 years ago
Did you find a way? I'm not familiar with how to filter mpls, but bpf may have a way.
Updated by Andreas Herz over 5 years ago
- Assignee set to lolilol party
- Target version set to Support
Updated by Andreas Herz over 5 years ago
- Status changed from New to Feedback
Did you try just "mpls" as this is what the bpf manual says, you can also use "not proto gre" for the gre part but number works as well.
Updated by Andreas Herz over 5 years ago
- Status changed from Feedback to Closed
As I have this running exactly like that I close this issue, solution is explained.