-
Version2.4.70 Installation MethodSecurity Onion ISO image Descriptionconfiguration Installation TypeDistributed Locationairgap Hardware SpecsExceeds minimum requirements CPU8 RAM32 Storage for /1TB Storage for /nsm1TB Network Traffic Collectionspan port Network Traffic SpeedsLess than 1Gbps StatusYes, all services on all nodes are running OK Salt StatusNo, there are no failures LogsNo, there are no additional clues DetailI want to apply a BPF filter to avoid receiving traffic from certain networks that come through the sensors. Should I apply this filter to the manager node, or should I create a filter for each node? Will this filter applied to Stenographer prevent alerts from being generated, or will it only prevent PCAPs of those alerts from being stored? Guidelines
|
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
If you apply it as default, it will push out to every sensor, obviously you can select a particular sensor. According the the text on this page https://docs.securityonion.net/en/2.4/bpf.html Also, you might consider using OR instead of AND. ie not net A or not net B or not net C. like !(net A or net B or net C) |
Beta Was this translation helpful? Give feedback.
-
|
Thank you!!! |
Beta Was this translation helpful? Give feedback.
If you apply it as default, it will push out to every sensor, obviously you can select a particular sensor. According the the text on this page https://docs.securityonion.net/en/2.4/bpf.html
, your service will not see the traffic, so no PCAP or Alert from that service. Notice you can apply different rules to PCAP, Suricata, and Zeek.
Also, you might consider using OR instead of AND.
ie not net A or not net B or not net C.
like !(net A or net B or net C)