Suricata

Victor Julien wrote:

Sounds like something for a BPF? A filter like 'not proto 47' to ignore GRE. MPLS can probably done in a similar way.

thanks for you replying

where can I add this filter please ? :)

https://suricata.readthedocs.io/en/latest/performance/ignoring-traffic.html#capture-filters-bpf

Victor Julien wrote:

https://suricata.readthedocs.io/en/latest/performance/ignoring-traffic.html#capture-filters-bpf

I already try that, but it doesn't work, it just tcp, udp, and icpm protocol work :(((
because, whand I tried gre protocol, the suricata service doest restart and I got I error. :((

lolilol party wrote:

Victor Julien wrote:

https://suricata.readthedocs.io/en/latest/performance/ignoring-traffic.html#capture-filters-bpf

I already try that, but it doesn't work, it just tcp, udp, and icpm protocol work :(((
because, whend I tried gre protocol, the suricata service doest not restart and I got an error. :((

Can you show what you tried so far? I have used a gre bpf quite recently, so at least that part should work.

Victor Julien wrote:

Can you show what you tried so far? I have used a gre bpf quite recently, so at least that part should work.

yes,

/etc/init.d/suricata

SURICATA_OPTIONS=" -c $SURCONF --pidfile $PIDFILE $LISTEN_OPTIONS -D -vvv $USER_SWITCH not gre" 

/var/log:suricata.log
15/10/2018 -- 09:08:34 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Filter compilation failed.
15/10/2018 -- 09:08:34 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Set AF_PACKET bpf filter "not gre" failed.
15/10/2018 -- 09:08:34 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error

Can you try my suggestion from comment #1 above? 'not proto 47'

Victor Julien wrote:

Can you try my suggestion from comment #1 above? 'not proto 47'

yes I did that, after search about BPF

--af-packet -D -vvv not (tcp and udp port 47)

I also find, this

l4proto <protocol>
where <protocol> is either a protocol number or a name.

so what is the better between above and below :

not (l4proto gre and mpls)

but above rules, does not work :(

lolilol party wrote:

Victor Julien wrote:

Can you try my suggestion from comment #1 above? 'not proto 47'

yes I did that, after search about BPF
[...]

I also find, this
[...]

so what is the better between above and below :

not (l4proto gre and mpls-in-ip)

but above rules, does not work :(

forget my above post,

I try this 'not proto 47', so it is good, now for mpls, I want to filtre mlps above udp protocol any idea ?

because, juste 'not proto 47 and not mpls' it will look at the standard location, above ethernet

Did you find a way? I'm not familiar with how to filter mpls, but bpf may have a way.