Replies: 1 comment 2 replies
-
|
Just so I am clear, the BPF filter is simply |
Beta Was this translation helpful? Give feedback.
2 replies
-
|
Yes, simply
|
Beta Was this translation helpful? Give feedback.
-
|
https://docs.securityonion.net/en/2.4/bpf.html#vlan You have to have a filter on both sides of the vlan tag. |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Version
2.4.201
Installation Method
Security Onion ISO image
Description
configuration
Installation Type
Distributed
Location
on-prem with Internet access
Hardware Specs
Exceeds minimum requirements
CPU
4
RAM
128
Storage for /
500G
Storage for /nsm
15T
Network Traffic Collection
span port
Network Traffic Speeds
1Gbps to 10Gbps
Status
Yes, all services on all nodes are running OK
Salt Status
No, there are no failures
Logs
No, there are no additional clues
Detail
Hi,
Having weird issues wrt. filtering capture traffic out of an 802.1x trunk. Topology is a follows:
L1: Local LAN-Switch where both a firewall and my SO-sensor node connect to
L2: Firewall is connected to the switch via Trunk-interface thus carrying traffic for a bunch of VLANs. On the switch I've got a SPAN set up ("monitor" in Cisco lingo) that mirrors all traffic to/from the firewall to the port my sensor node is connected to.
The plan: Since I'm only interested in getting/analyzing Traffic in a particular VLAN on S.O. I set up BPF filters in SO identically for
as
vlan 555.Unfortunately that didn't work: I'm still getting Suricata and Zeek alerts from S.O. about traffic in other VLANs. Shouldn't the BPF for Suricata and Zeek respectively make sure that only Traffic tagged with VLAN 555 makes its way to Suricata/Zeek?
Only for PCAP the filter seems to work: so when starting from a Suricata Alert I opt for "PCAP" I only get packet data for alerts for VLAN 555 wheres for any suricata alerts from other VLANs there are not packets.
Any clue as wo what might be wrong here, i.e. why a BPF "vlan xxx" doesn't work for Suricata/Zeek?
PS: Please note that filtering out traffic on the SPAN-source-interface (i.e. where the firewall connects to is not an option since that source traffic is also mirrored to another interface aside from the one the S.O. sensor connects to).
Guidelines
Beta Was this translation helpful? Give feedback.
All reactions