Project

General

Profile

Actions
Copy link

Bug #8002

open

pcap-log: bpf-filter not applied when using multi mode

Added by Alain Térieur 4 days ago. Updated 3 days ago.

Status:
Resolved
Priority:
Normal
Assignee:
Victor Julien
Target version:
9.0.0-beta1
Affected Versions:
8.0.0
Effort:
Difficulty:
Label:
C

Description

Feature #6832 added a bpf-filter option to the pcap-log section in version 8.0.0. The filter works fine in normal mode but is silently ignored in multi mode.

In multi mode, each thread gets its own PcapLogData through PcapLogDataCopy() . This function doesn't copy bpf_filter or bpfp . There also doesn't seem to be any shared BPF filter applied across threads, so effectively the filter is never applied in multi mode.

Steps to reproduce:
1. Configure pcap-log with mode: multi, conditionnal: all and a bpf-filter (e.g. "udp port 53" ).
2. Run suricata on traffic matching and not matching the filter.
3. Observe that all packets are logged, filter is ignored.

Expected: Only packets matching the BPF filter should be logged in all threads.
Actual: Filter is ignored and all packets are logged.

Subtasks 1 (1 open0 closed)

Bug #8005: pcap-log: bpf-filter not applied when using multi mode (8.0.x backport)AssignedVictor JulienActions
Actions
Copy link
 #1

Updated by Victor Julien 4 days ago

  • Status changed from New to In Progress
  • Assignee changed from OISF Dev to Victor Julien
  • Target version changed from TBD to 9.0.0-beta1
Actions
Copy link
 #2

Updated by Victor Julien 4 days ago

  • Status changed from In Progress to In Review
Actions
Copy link
 #3

Updated by Victor Julien 4 days ago

  • Label Needs backport to 8.0 added
Actions
Copy link
 #4

Updated by OISF Ticketbot 4 days ago

  • Subtask #8005 added
Actions
Copy link
 #5

Updated by OISF Ticketbot 4 days ago

  • Label deleted (Needs backport to 8.0)
Actions
Copy link
 #6

Updated by Victor Julien 3 days ago

  • Status changed from In Review to Resolved
Actions
Copy link

Also available in: Atom PDF