BPF Best Practices for Large Exclusions

[8inaryMata1eao]

We are having an issue with all BPF filtering ever since upgrading past 2.4.70. Since moving to .80+ the filters no longer work. I have tried with "AND" and "OR" inside the first case and reviewed the documentation, none of the attempts work. What is the best method to do large exclusions? Our clients use Tenable, so naturally i want to exclude the public ip ranges and internal scanners. Here is how I have them listed below.

Type: Distributed
Version: 2.4.100
PCAP Engine: Suricata Transition mode

(not (net 34.201.223.128/25 AND net 44.192.244.0/24 AND net 44.206.3.0/24 AND net 54.175.125.192/26 AND net 13.59.252.0/25 AND net 18.116.198.0/24 AND net 3.132.217.0/25 AND net 13.56.21.128/25 AND net 34.223.64.0/25 AND net 35.82.51.128/25 AND net 35.86.126.0/24 AND net 35.93.174.0/24 AND net 44.242.181.128/25 AND net 162.159.129.83/32 AND net 162.159.130.83/32 AND net 162.159.140.26/32 AND net 172.66.0.26/32)) &&
(not (host 10.0.0.50)) &&
(not (host 10.0.0.30)) &&
(not (host 10.0.0.10))

[reyesj2]

I think there is an issue with your BPF you have multiple AND conditions included in the NOT condition. The BPF can't match all those networks, I think you need OR in place of AND

not (net 34.201.223.128/25 OR net 44.192.244.0/24 OR net 44.206.3.0/24 OR net 54.175.125.192/26 OR net 13.59.252.0/25 OR net 18.116.198.0/24 OR net 3.132.217.0/25 OR net 13.56.21.128/25 OR net 34.223.64.0/25 OR net 35.82.51.128/25 OR net 35.86.126.0/24 OR net 35.93.174.0/24 OR net 44.242.181.128/25 OR net 162.159.129.83/32 OR net 162.159.130.83/32 OR net 162.159.140.26/32 OR net 172.66.0.26/32) &&
not host 10.0.0.50 &&
not host 10.0.0.30 &&
not host 10.0.0.10

[8inaryMata1eao]

That does not work either. I just performed a test scan against the public interfaces from the cloud scanners and they show in Suricata alerts.

[reyesj2]

Can you show an alert that is coming from an ip listed in your BPF?

You placed the BPF config in the suricata -> BPF section?

[8inaryMata1eao]

I went back and noticed that during salt-call state.highstate i get two errors on the sensors,

          ID: zeekbpfcompilationfailure
    Function: test.configurable_test_state
      Result: False
     Comment: BPF Syntax Error - Discarding Specified BPF
     Started: 15:12:06.236865
    Duration: 0.681 ms
     Changes:
----------
          ID: suribpfcompilationfailure
    Function: test.configurable_test_state
      Result: False
     Comment: BPF Syntax Error - Discarding Specified BPF
     Started: 15:17:21.033543
    Duration: 0.859 ms
     Changes:

Zeek:

not (net 34.201.223.128/25 OR net 44.192.244.0/24 OR net 44.206.3.0/24 OR net 54.175.125.192/26 OR net 3.59.252.0/25 OR net 18.116.198.0/24 OR net 3.132.217.0/25 OR net 13.56.21.128/25 OR net 34.223.64.0/25 OR net 35.82.51.128/25 OR net 35.86.126.0/24 OR net 35.93.174.0/24 OR net 44.242.181.128/25 OR net 162.159.129.83/32 OR net 162.159.130.83/32 OR net 162.159.140.26/32 OR net 172.66.0.26/32) &&
not host 10.0.0.50 &&
not host 10.0.0.30 &&
not host 10.0.0.10

Suricata:

not (net 34.201.223.128/25 OR net 44.192.244.0/24 OR net 44.206.3.0/24 OR net 54.175.125.192/26 OR net 3.59.252.0/25 OR net 18.116.198.0/24 OR net 3.132.217.0/25 OR net 13.56.21.128/25 OR net 34.223.64.0/25 OR net 35.82.51.128/25 OR net 35.86.126.0/24 OR net 35.93.174.0/24 OR net 44.242.181.128/25 OR net 162.159.129.83/32 OR net 162.159.130.83/32 OR net 162.159.140.26/32 OR net 172.66.0.26/32) &&
not host 10.0.0.50 &&
not host 10.0.0.30 &&
not host 10.0.0.10

[8inaryMata1eao]

I broke them out like the others and it resolved the errors. Will test now and update

not net 34.201.223.128/25 &&
not net 44.192.244.0/24 &&
not net 44.206.3.0/24 &&
not net 54.175.125.192/26 &&
...