https://redmine.openinfosecfoundation.org/https://redmine.openinfosecfoundation.org/favicon.ico?17011170022016-09-08T14:42:36ZOpen Information Security FoundationSuricata - Bug #1382: BPF not reflected in suricata.log when using pf-ringhttps://redmine.openinfosecfoundation.org/issues/1382?journal_id=73362016-09-08T14:42:36ZAndreas Herzoisf@herzandreas.de
<ul><li><strong>Assignee</strong> set to <i>Anonymous</i></li><li><strong>Target version</strong> set to <i>TBD</i></li></ul> Suricata - Bug #1382: BPF not reflected in suricata.log when using pf-ringhttps://redmine.openinfosecfoundation.org/issues/1382?journal_id=112172019-02-23T22:16:34ZAndreas Herzoisf@herzandreas.de
<ul><li><strong>Assignee</strong> set to <i>Community Ticket</i></li></ul> Suricata - Bug #1382: BPF not reflected in suricata.log when using pf-ringhttps://redmine.openinfosecfoundation.org/issues/1382?journal_id=131452019-07-27T22:33:58ZAndreas Herzoisf@herzandreas.de
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Feedback</i></li></ul><p>Is this still an issue?</p> Suricata - Bug #1382: BPF not reflected in suricata.log when using pf-ringhttps://redmine.openinfosecfoundation.org/issues/1382?journal_id=131722019-07-29T15:41:15ZJay MJjskier@gmail.com
<ul></ul><p>Andreas Herz wrote:</p>
<blockquote>
<p>Is this still an issue?</p>
</blockquote>
<p>I checked, it does not appear to be a problem with with printable payload and base64 encoded payload fields in eve logs. Also, suricata generated pcaps appear to be fine.</p>
<p>Using this script to convert the packet field, and it's just garbage (perhaps another issue?). - <a class="external" href="https://gist.github.com/jermdw/a39d86c36cedbfa9b9a16faed59434e5">https://gist.github.com/jermdw/a39d86c36cedbfa9b9a16faed59434e5</a><br />I also did try scapy, which doesn't seem think the base64 packet is valid at all.</p>
<p>I think it makes sense to close this and, after I update to latest version of suricata, test more. If still present, open issue for packet field malformed. That does not appear to be related to this erspan issue as it is malformed without that header also.</p>
<p>To conclude, version 4.1.2 does not appear to have the issues with payload and payload printed fields anymore.</p> Suricata - Bug #1382: BPF not reflected in suricata.log when using pf-ringhttps://redmine.openinfosecfoundation.org/issues/1382?journal_id=131732019-07-29T15:58:21ZPeter Manevpetermanev@gmail.com
<ul></ul><p>@Jay is this the correct issue you have updated ?</p> Suricata - Bug #1382: BPF not reflected in suricata.log when using pf-ringhttps://redmine.openinfosecfoundation.org/issues/1382?journal_id=131742019-07-29T17:06:26ZJay MJjskier@gmail.com
<ul></ul><p>Peter Manev wrote:</p>
<blockquote>
<p>@Jay is this the correct issue you have updated ?</p>
</blockquote>
<p>Whoops, my apologies- no it is not. Please disregard; thank you Peter.</p>