[Bro] BPF packet filter syntax

Corey Roach (ISO) Corey.Roach at utah.edu
Mon Aug 27 15:41:48 PDT 2012

Before I go dive into source I thought I'd throw a quick question to the group.

Can you use the entire BPF syntax (things other than just "host") when building a Bro filter?

For example, I've got something like this in my local.bro:

redef PacketFilter::all_packets = F;
redef capture_filters = [[ "all"] = "ip or not ip"];
redef restrict_filters += [ ["not-one-host"] = "not host"];
redef restrict_filters += [ ["not-two-hosts"] = "not host and not host"];
redef restrict_filters += [ ["not-one-net"] = "not net"];
redef restrict_filters += [ ["not-two-nets"] = "not net and not net"];

But it seems that the "" network is still leaking in traffic?

Ultimately I'd like to eliminate the traffic at my upstream device, but in the mean time, does anyone see something I'm doing obviously wrong?


More information about the Bro mailing list