[Bro] BPF packet filter syntax

Corey Roach (ISO) Corey.Roach at utah.edu
Mon Aug 27 22:24:33 PDT 2012


Actually, I fudged the addresses in an attempt to simplify the question, but I neglected to check the cidr boundaries, so I guess it didn't make it simpler after all. :)


More specifically, the actual line in question is:

redef restrict_filters += [ ["not-flux"] = "not net 155.98.32.0/20 and not net 155.98.60.0/22"];

And I'm getting the notice:

SSH::Password_Guessing  Threshold crossed by metric_index(host=137.132.209.209) 30/30

from "137.132.209.209" pounding on the IP "155.98.35.7".

So I was thinking the filter should have dropped the traffic before the SSH connection got process or ever reached the detect-bruteforcing.bro script and not incremented the counter or kicked off the notice.


Thanks for answering my question in the general that I should be able to use "net" as well as "host", but can you see any reason that should not be working?

 - Corey


On Aug 27, 2012, at 8:39 PM, Seth Hall <seth at icir.org> wrote:

> 
> On Aug 27, 2012, at 6:41 PM, Corey Roach (ISO) <Corey.Roach at utah.edu> wrote:
> 
>> redef restrict_filters += [ ["not-two-nets"] = "not net 10.50.1.0/20 and not net 10.60.1.0/22"];
> 
> I'm surprised that Bro is starting up for you.  When I try running with these lines I get a message about a bad filter.  The line that I left above doesn't work as a valid BPF filter, there are network bits beyond the netmask which BPF doesn't seem to like.
> 
> I think the CIDRs you meant to use are:
> 	10.50.0.0/20
> 	10.60.0.0/11
> 
> So use this instead:
> 	redef restrict_filters += { ["not-two-nets"] = "not net 10.50.0.0/20 and not net 10.60.0.0/22" };
> 
> 
>> Ultimately I'd like to eliminate the traffic at my upstream device, but in the mean time, does anyone see something I'm doing obviously wrong?
> 
> 
> Once again, I'd like to apologize to everyone for not getting the rewritten packet filter framework into 2.1.  This will be so much easier when that's finally included (the worst part is that it's already done!).
> 
>  .Seth
> 
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
> 





More information about the Bro mailing list