Bug #1382
openBPF not reflected in suricata.log when using pf-ring
Description
Latest git 2.1dev (rev 1010406) - when using a bpf filter from a file with af-packet - this is reflected in the suricata.log.
.... (runmode-af-packet.c:148) <Info> (ParseAFPConfig) -- Going to use command-line provided bpf filter '( (ip and port 20 or 21.......... ....
The same is not true when using BPF with pf-ring.
Updated by Andreas Herz over 8 years ago
- Assignee set to Anonymous
- Target version set to TBD
Updated by Andreas Herz over 5 years ago
- Status changed from New to Feedback
Is this still an issue?
Updated by Jay MJ over 5 years ago
Andreas Herz wrote:
Is this still an issue?
I checked, it does not appear to be a problem with with printable payload and base64 encoded payload fields in eve logs. Also, suricata generated pcaps appear to be fine.
Using this script to convert the packet field, and it's just garbage (perhaps another issue?). - https://gist.github.com/jermdw/a39d86c36cedbfa9b9a16faed59434e5
I also did try scapy, which doesn't seem think the base64 packet is valid at all.
I think it makes sense to close this and, after I update to latest version of suricata, test more. If still present, open issue for packet field malformed. That does not appear to be related to this erspan issue as it is malformed without that header also.
To conclude, version 4.1.2 does not appear to have the issues with payload and payload printed fields anymore.
Updated by Peter Manev over 5 years ago
@Jay is this the correct issue you have updated ?
Updated by Jay MJ over 5 years ago
Peter Manev wrote:
@Jay is this the correct issue you have updated ?
Whoops, my apologies- no it is not. Please disregard; thank you Peter.