Project

General

Profile

Actions

Feature #6832

open

Support BPFs for filtering pcap output

Added by Mike Reeves 10 months ago. Updated 2 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Some users want to use Suricata full PCAP on their network but leverage BPFs to enable DPI but not write PCAP for a specific filter.

Example:

Server 1 does a nightly backup of 1TB worth of data to Server 2. Using a separate tool for PCAP we can easily use the BPF not((host server1 and host server2) and port 445)) to not write that traffic to disk. Even though we are not writing PCAP, Suricata is still inspecting the traffic and alerting on things between those hosts.

If we were using Suricata for PCAP and used that same BPF, we would no longer be inspecting that traffic.

Basic BPFs using something similar to the metadata filtering rule lingo would be sufficient.

There is a use case to filter VXLAN traffic filtering. Those BPFs are a little more complex:

Source IP example:
not ether[76:4] = 0x0a000001 (10.0.0.1)

Destination IP example:
not ether[80:4] = 0x0a000001 (10.0.0.1)

Actions

Also available in: Atom PDF