Feature #3439
openbpf-filter does not accept path/file
Description
This discussion took place in the following thread https://lists.openinfosecfoundation.org/pipermail/oisf-users/2020-January/017352.html and moved to this Issue after a recommendation from Peter.
Issue
bpf-filter option in suricata.yaml only accepts the filter expression itself, and not a path to a file containing the filters to apply.
When using a file for BPF filtering, with the -F option, Suricata accepts the file and translates the content of the file into a BPF expression (as intended) . There should be a way to specify this file, similar to -F, in the configuration file. Ideally, bpf-filter would accept both the expression itself (i.e not host 1.1.1.1) or a path.
Currently, if bpf-filter contains a path, for example bpf-filter: /etc/suricata/capture-filter.bpf , the following error occurs:
[12118] 10/1/2020 -- 11:41:29 - (source-af-packet.c:2274) <Error> (AFPSetBPFFilter) -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Failed to compile BPF "/etc/suricata/capture-filter.bpf": syntax error in filter expression: syntax error
[12118] 10/1/2020 -- 11:41:29 - (source-af-packet.c:1507) <Error> (ReceiveAFPLoop) -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error