Bug #8002: pcap-log: bpf-filter not applied when using multi mode - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #8002

closed

pcap-log: bpf-filter not applied when using multi mode

Added by Alain Térieur 26 days ago. Updated 11 days ago.

Status:

Closed

Priority:

Normal

Assignee:

Victor Julien

Target version:

9.0.0-beta1

Affected Versions:

8.0.0

Effort:

Difficulty:

Label:

Description

Feature #6832 added a bpf-filter option to the pcap-log section in version 8.0.0. The filter works fine in normal mode but is silently ignored in multi mode.

In multi mode, each thread gets its own PcapLogData through PcapLogDataCopy() . This function doesn't copy bpf_filter or bpfp . There also doesn't seem to be any shared BPF filter applied across threads, so effectively the filter is never applied in multi mode.

Steps to reproduce:
1. Configure pcap-log with mode: multi, conditionnal: all and a bpf-filter (e.g. "udp port 53" ).
2. Run suricata on traffic matching and not matching the filter.
3. Observe that all packets are logged, filter is ignored.

Expected: Only packets matching the BPF filter should be logged in all threads.
Actual: Filter is ignored and all packets are logged.

Subtasks 1 (0 open — 1 closed)