Suricata: Add BPF filtering #8443
Conversation
|
@0xThiebaut I'm not sure about this to be be honest, bpf filters are highly sensitive and influence which traffic will be evaluated at all (not only the information feed). When trying to reduce the logging feed, it might be better to filter the input of the receiving end or the mechanism used to ship it somewhere. |
|
@AdSchellevis I realize BPF filters are sensitive (hence the field flagged as advanced) but they play an important role in avoiding noise and amplifications generated by log and PCAP transports. The long-term goal I want to achieve is to permit using OPNsense as a proper network sensor to provide functionality close to CISA's Malcolm which ships Suricata events and PCAPs (something I plan on PR'ing soon). Without a BPF filter, any PCAP shipped to a secondary appliance will be recorded and shipped in a continuous loop. In Malcolm as well, their sensors recommend using a BPF filter to avoid "loops" where we record the sensor's own communications. A similar pattern (not yet amplifying) can be observed when using opnsense/plugins#4591 to ship Suricata events, where a "quiet" appliance will still record its own reporting traffic in a loop.
Without a BPF filter, local PCAP processing will be required to filter out reporting traffic, which results in a DIY BPF filter. |
|
flagging a field as advanced won't stop users from offering faulty input I'm afraid. From their command line setup I understand why they opt for bpf filters, in reality on our end this will cause a maintenance nightmare. Logically, I would expect you can filter these events also out from your logging pipeline, in which case you would move the issue to a more logical place. |
|
I admit I didn't take the support nightmare into account. On the other hand, moving the logic to after the capture can introduce some additional challenges where either the filtering logic will need to happen on the OPNsense appliance or appliances fetching the PCAPs (e.g., Would an acceptable compromise be to have the user provide an |
|
I'm not sure, but also doubt a bit why filtering within filebeat (the linked PR) would be problematic. |
|
Hi @AdSchellevis , apologies for not being clear. Exporting the logs (e.g., through Filebeat) generates noise but no amplification. However, when relying on the Suricata PCAP feature (#8450), exporting those could generate amplification, which is typically prevented through a BPF filter. |
|
@0xThiebaut you are aware that we already have an included packet capture in OPNsense? I'm not sure this is a direction we should be heading as it will lead to a lot more work and regressions later |
|
@AdSchellevis I'm aware of Diagnostics: Packet capture, but unless I am mistaken this is not something designed to run continuously (rotating files, capture across reboots, ...)? |
|
@0xThiebaut what ad is saying is there is an option in the ui for suricata in the suricata settings page where you can enable pcap output that is just a checkbox. I have this enabled myself so I think that is what ad means? |
|
It's in the advanced menu of suricata and it's called log package payload |
Continuously running shouldn't be an issue, but it's designed to inspect targeted traffic indeed. Knowing the work needed to make that feature useable, I'm pretty sure I don't want to redo that again. Adding a flag in suricata is the easy part. If people want to use pcaps with suricata, custom includes should likely work. |
Add support for BPF filtering.
This feature can be employed to avoid amplification if Suricata logs are exported (for example, using #8450).