[Bro] BPF packet filter syntax

Seth Hall seth at icir.org
Mon Aug 27 22:34:59 PDT 2012

On Aug 28, 2012, at 1:24 AM, "Corey Roach  (ISO)" <Corey.Roach at utah.edu> wrote:

> Actually, I fudged the addresses in an attempt to simplify the question, but I neglected to check the cidr boundaries, so I guess it didn't make it simpler after all. :)

Hah!  No problem.

> redef restrict_filters += [ ["not-flux"] = "not net and not net"];

One funny thing is that I was *really* surprised that this syntax works.  Normally I would surround the table values with curly braces like this…

redef restrict_filters += { ["not-flux"] = "not net and not net" };

At some point we're really going to have to tighten up the language's use of curly braces and square brackets, there is still a lot of inconsistency floating around.

> SSH::Password_Guessing  Threshold crossed by metric_index(host= 30/30
> from "" pounding on the IP "".

Are you seeing that address ( in your conn.log?  I assume you are, but the metric based detection doesn't inherently indicate that.

> So I was thinking the filter should have dropped the traffic before the SSH connection got process or ever reached the detect-bruteforcing.bro script and not incremented the counter or kicked off the notice.

Yeah, I would think so too.

Could you send me the output from the packet_filter.log?  Feel free to send it off list if it has anything in it that you'd rather not broadcast publicly.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list