[Bro] BPF packet filter syntax

Seth Hall seth at icir.org
Mon Aug 27 19:39:17 PDT 2012

On Aug 27, 2012, at 6:41 PM, Corey Roach (ISO) <Corey.Roach at utah.edu> wrote:

> redef restrict_filters += [ ["not-two-nets"] = "not net and not net"];

I'm surprised that Bro is starting up for you.  When I try running with these lines I get a message about a bad filter.  The line that I left above doesn't work as a valid BPF filter, there are network bits beyond the netmask which BPF doesn't seem to like.

I think the CIDRs you meant to use are:

So use this instead:
	redef restrict_filters += { ["not-two-nets"] = "not net and not net" };

> Ultimately I'd like to eliminate the traffic at my upstream device, but in the mean time, does anyone see something I'm doing obviously wrong?

Once again, I'd like to apologize to everyone for not getting the rewritten packet filter framework into 2.1.  This will be so much easier when that's finally included (the worst part is that it's already done!).


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list