Suricata custom.yaml and OPNSense 26.1.x and BPF Filter

Started by jonny5, Today at 08:25:33 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
Today at 08:25:33 PM Last Edit: Today at 10:31:59 PM by jonny5
Wanted to start with a thank you, the /usr/local/etc/suricata/conf.d/custom.yaml appears persistent and this allows us to further customize Suricata, thank you OPNSense!! We have had difficulty customizing and having it persist until now.

The issue found appears to be that BPF Filtering via netmap in the Suricata config does not appear to work, hosts/networks filtered still show up in the Suricata alerts. The netmap area of suricata.yaml from OPNSense 25.x to OPNSense 26.x appears to have gone through a lot of changes.

The new divert feature being one of the new elements I have not had a chance to explore, I'm still using netmap and while it seems OPNSense hardcodes (you can select IDS and it still puts netmap into IPS mode(copy-mode: ips)) IPS mode for Suricata's netmap, I have using the custom.yaml set it to "copy-mode: tap".

The documentation for BPF-Filtering within Suricata shows this as an example:
Code Select
not (host IP1 or IP2 or IP3 or net NET/24)
A most desired filter is between a subnet and one or more other subnets, and I've tried this in several methods, here's the most basic I have tried:
Code Select
not ((net NET1/24 and NET2/24) or (net NET2/24 and NET3/24) or (net NET3/24 and NET1/24))
So far none of the BPF filters work with Suricata - does anyone use this and/or have experience?

Custom: ASRock 970 Extreme3 R2.0 / AMD FX-8320E / 32 GB DDR3 1866 / X520 & I350 / 500GB SATA
Print
Go Up Pages1
User actions