Project

General

Profile

Actions

Feature #3439

open

bpf-filter does not accept path/file

Added by Tiago F. almost 5 years ago. Updated 6 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

This discussion took place in the following thread https://lists.openinfosecfoundation.org/pipermail/oisf-users/2020-January/017352.html and moved to this Issue after a recommendation from Peter.

Issue

bpf-filter option in suricata.yaml only accepts the filter expression itself, and not a path to a file containing the filters to apply.

When using a file for BPF filtering, with the -F option, Suricata accepts the file and translates the content of the file into a BPF expression (as intended) . There should be a way to specify this file, similar to -F, in the configuration file. Ideally, bpf-filter would accept both the expression itself (i.e not host 1.1.1.1) or a path.

Currently, if bpf-filter contains a path, for example bpf-filter: /etc/suricata/capture-filter.bpf , the following error occurs:

[12118] 10/1/2020 -- 11:41:29 - (source-af-packet.c:2274) <Error> (AFPSetBPFFilter) -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Failed to compile BPF "/etc/suricata/capture-filter.bpf": syntax error in filter expression: syntax error
[12118] 10/1/2020 -- 11:41:29 - (source-af-packet.c:1507) <Error> (ReceiveAFPLoop) -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error

Actions

Also available in: Atom PDF