BPF filters for zeek/suricata not working

[tuamortemo]

Version

2.4.110

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

16-32

RAM

16-32

Storage for /

200-300 GB

Storage for /nsm

1 TB

Network Traffic Collection

span port

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Relatively recently, I noticed that the BPF filters configured in config-suricata/zeek-(sensor field) do not work. There are changes in the "bpf" files in the /opt/so/conf directories on the sensors
I've need to filter traffic which use port 3260.
The filter I tried:
not port 3260
not dst port 3260
not (ip ... and port 3260)
If I understand correctly, then all traffic associated with this port in the zeek and suricata modules should not be displayed in Hunt. But I still see suricata alerts and zeek datasets.

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[cm-ops]

Just to be clear, you set your BPF in SOC > Administration > Configuration > bpf? This should work not port 3260,

[cm-ops]

I meant your BPF configuration in SOC, what does that look like?

[tuamortemo]

I apologize for the long wait
Zeek BPF config, which is used on all sensors and generally works when comparing tcpdump and soc
not dst portrange 2500-2525 &&
not port 902 &&
not port 3260

[cm-ops]

That BPF looks okay, so on that one sensor you are seeing traffic that is coming from one of those ports? But not on the other three?

[tuamortemo]

Yes, there are two more sensors with the same filters. Judging by tcpdump, there is also traffic with these ports, but they do not reach hunt

[cm-ops]

If they are reaching Hunt, they aren't making it to Elasticsearch, so I would think the BPF is working.