Feature #6832
closedpcap/log: Support BPFs for filtering pcap output
Description
Some users want to use Suricata full PCAP on their network but leverage BPFs to enable DPI but not write PCAP for a specific filter.
Example:
Server 1 does a nightly backup of 1TB worth of data to Server 2. Using a separate tool for PCAP we can easily use the BPF not((host server1 and host server2) and port 445)) to not write that traffic to disk. Even though we are not writing PCAP, Suricata is still inspecting the traffic and alerting on things between those hosts.
If we were using Suricata for PCAP and used that same BPF, we would no longer be inspecting that traffic.
Basic BPFs using something similar to the metadata filtering rule lingo would be sufficient.
There is a use case to filter VXLAN traffic filtering. Those BPFs are a little more complex:
Source IP example:
not ether[76:4] = 0x0a000001 (10.0.0.1)
Destination IP example:
not ether[80:4] = 0x0a000001 (10.0.0.1)
JI Updated by Jason Ish over 1 year ago
- Target version changed from TBD to 8.0.0-beta1
JI Updated by Jason Ish about 1 year ago
- Status changed from New to In Review
PA Updated by Philippe Antoine about 1 year ago
- Assignee changed from OISF Dev to Jason Ish
SB Updated by Shivani Bhardwaj about 1 year ago
- Status changed from In Review to Closed
Closed by: https://github.com/OISF/suricata/pull/12964
VJ Updated by Victor Julien about 1 year ago
- Subject changed from Support BPFs for filtering pcap output to pcap/log: Support BPFs for filtering pcap output