Feature #1224
closed
Allow newlines in bpf filters in files specified by the -F flag
Added by Cooper Nelson almost 10 years ago.
Updated over 8 years ago.
Description
Currently if you create a bpf filter as a file, the entire filter must be specified on a single line or it will not compile correctly. This can make managing complex filters somewhat unwieldy. I tried escaping the newline but that didn't work.
I am not sure what do you mean.
I just did a blogpost about bpf filters -
http://www.pevma.blogspot.se/2014/06/suricata-idps-getting-best-out-of.html
This is the BPF that I used in a file (there are new lines in there) -
root@snif01:/var/log/suricata# cat /home/pmanev/test/bpf-filter
(
(ip and port 20 or 21 or 22 or 25 or 110 or 161 or 443 or 445 or 587 or 6667)
or ( ip and tcp dst port 80 or (ip and tcp src port 80 and
(tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 or
tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x48545450))))
or
((vlan and port 20 or 21 or 22 or 25 or 110 or 161 or 443 or 445 or 587 or 6667)
or ( vlan and tcp dst port 80 or (vlan and tcp src port 80 and
(tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 or
tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x48545450)))
)
root@snif01:/var/log/suricata#
and it worked fine in my case.
Is this the same issue or I misunderstood?
It didn't work last time I tried it. As mentioned, it seems to work now so go ahead and close out the ticket.
Before we do that - can we pinpoint what was the reason it did it run correctly the last time? Just to confirm if there is no corner case or something.
- Status changed from New to Closed
Also available in: Atom
PDF