Bug #1382
open
BPF not reflected in suricata.log when using pf-ring
Added by Peter Manev about 9 years ago.
Updated about 3 years ago.
Description
Latest git 2.1dev (rev 1010406) - when using a bpf filter from a file with af-packet - this is reflected in the suricata.log.
....
(runmode-af-packet.c:148) <Info> (ParseAFPConfig) -- Going to use command-line provided bpf filter '( (ip and port 20 or 21..........
....
The same is not true when using BPF with pf-ring.
- Assignee set to Anonymous
- Target version set to TBD
- Assignee set to Community Ticket
- Status changed from New to Feedback
Andreas Herz wrote:
Is this still an issue?
I checked, it does not appear to be a problem with with printable payload and base64 encoded payload fields in eve logs. Also, suricata generated pcaps appear to be fine.
Using this script to convert the packet field, and it's just garbage (perhaps another issue?). - https://gist.github.com/jermdw/a39d86c36cedbfa9b9a16faed59434e5
I also did try scapy, which doesn't seem think the base64 packet is valid at all.
I think it makes sense to close this and, after I update to latest version of suricata, test more. If still present, open issue for packet field malformed. That does not appear to be related to this erspan issue as it is malformed without that header also.
To conclude, version 4.1.2 does not appear to have the issues with payload and payload printed fields anymore.
@Jay is this the correct issue you have updated ?
Peter Manev wrote:
@Jay is this the correct issue you have updated ?
Whoops, my apologies- no it is not. Please disregard; thank you Peter.
Also available in: Atom
PDF