Project

General

Profile

Bug #2289

af-packet bpf filtering failed to select multiple vlan

Added by Julien Bachmann 7 months ago. Updated 4 months ago.

Status:
New
Priority:
Low
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:

Description

Hello,

  1. intro
    This issue is not related to Suricata but common to all tools using BPF (ex: tcpdump).
  1. problem
    - we are receiving 8021q traffic on the interface on which suricata is listening
    - we only want to inspect traffic on specific vlan
    - using bpf (af-packet), we tried filtering on 'vlan X or vlan Y' and '(vlan X) or (vlan Y)' but neither worked

We are aware that the problem is due to the bpf code generation which writes it so that Y is supposed to be encapsulated in X. This is documented in several places, including [1]

Still writing this issue after discussing it w/ Eric Leblond @suricon, in case some (e)BPF-fu can solve this :)

[1] https://taosecurity.blogspot.ch/2008/12/bpf-for-ip-or-vlan-traffic.html

History

#1 Updated by Andreas Herz 7 months ago

  • Target version set to TBD

#2 Updated by Eric Leblond 7 months ago

My current eBPF branch has a eBPF filter dedicated to VLAN filtering: https://github.com/regit/suricata/blob/ebpf-4.0-v5/src/ebpf/vlan_filter.c

I still need to test it but it should implement what you want. Let me know if you need something more (like additional filtering).

#3 Updated by Julien Bachmann 4 months ago

Eric Leblond wrote:

My current eBPF branch has a eBPF filter dedicated to VLAN filtering: https://github.com/regit/suricata/blob/ebpf-4.0-v5/src/ebpf/vlan_filter.c

I still need to test it but it should implement what you want. Let me know if you need something more (like additional filtering).

Thanks for the documentation posted today/yesterday! I was actually looking back at this and wasn't sure how to use it :)

Also available in: Atom PDF