Suricata custom.yaml and OPNSense 26.1.x and BPF Filter

[jonny5]

Wanted to start with a thank you, the /usr/local/etc/suricata/conf.d/custom.yaml appears persistent and this allows us to further customize Suricata, thank you OPNSense!! We have had difficulty customizing and having it persist until now.

The issue found appears to be that BPF Filtering via netmap in the Suricata config does not appear to work, hosts/networks filtered still show up in the Suricata alerts. The netmap area of suricata.yaml from OPNSense 25.x to OPNSense 26.x appears to have gone through a lot of changes.

The new divert feature being one of the new elements I have not had a chance to explore, I'm using PCAP IPD mode for Suricata.

The documentation for BPF-Filtering within Suricata shows this as an example:

Code Select Expand

not (host IP1 or IP2 or IP3 or net NET/24)
A most desired filter is between a subnet and one or more other subnets, and I've tried this in several methods, here's the most basic I have tried:

Code Select Expand

not ((net NET1/24 and NET2/24) or (net NET2/24 and NET3/24) or (net NET3/24 and NET1/24))
So far none of the BPF filters work with Suricata - does anyone use this and/or have experience?

Edit:
For a while I was only looking at the suricata.yaml file and didn't realize the level of control that went into the command line execution of arguments sent to suricata on service start. For a while I was trying to put netmap in IDS mode thinking that's how the traffic was going and wondering why the BPF filter for netmap wasn't working.

[jonny5]

More or less forced a BPF filter for Suricata in PCAP mode as I realized that is configured on the command line options...

So I edited "/usr/local/etc/rc.d/suricata" and changed the now commented out line with the next line:

Code Select Expand

# [ -z "$suricata_flags" ]    && suricata_flags="-D"
suricata_flags="-D -F /usr/local/etc/suricata/capture-filter.bpf"
Now I have already tested the earlier BPF, it starts with it, and it filters (I was able to comment-out my pass rules I was using to ignore traffic).

How can we enable natural use of the -F <filename> for a BPF filter to use when in PCAP mode?

To all doing IPS and wondering if you can BPF for Suricata, in short, no, it does not appear so.

If you were to BPF your IPS, you would now have as a first level filter on your network the BPF filter itself for all interfaces Suricata would be IPS for... which generally if you are only trying to get Suricata to focus on important stuff... isn't going to work here as it filters the traffic before Suricata sees it and thus it can not pass it along.

[jonny5]

Looking at an "easy learning moment". Developers / OPNSense devs, please advise!

To setup a development environment, one would VM the OPNSense, and using forks of the OPNSense Github repos, run a command on the OPNSense VM after we make the feature branch and change to apply it into the live environment?

It seems the directive to engage modifications that touch the Web GUI is explained here: https://docs.opnsense.org/development/workflow.html#packages

This would be growth on my previous PR experience, and would be great to add a menu option within conditions to allow for a file to exist with at least one line of syntax in it.

This would allow IDS configured Suricata PCAP bpf-filter to do its thing and lighten the load where it matters most, the inspection/workers. Further, if you configure layer 3/6/7 (pf+reverse-proxy-waf), then you have and 'echo' of IPS possibly without any IPS limitation. Further, CTI, cyber threat intelligence. Each attack matters in the global internet landscape.

Please share any lessons learned, will be using Proxmox instead of VirtualBox, and URLs/Youtubes as far as examples or guides that cover this Web GUI <-> OPNSense State abstraction - down to the services and how the args and environment vars work.

Sometimes a helper is that you just gotta turn and start on page XY, instead of starting on the first page, to get jump-started. Cannonball development lol, and if it requires reading from the beginning then it does.