[Bro] BPF packet filter syntax

Seth Hall seth at icir.org
Mon Aug 27 22:34:59 PDT 2012


On Aug 28, 2012, at 1:24 AM, "Corey Roach  (ISO)" <Corey.Roach at utah.edu> wrote:

> Actually, I fudged the addresses in an attempt to simplify the question, but I neglected to check the cidr boundaries, so I guess it didn't make it simpler after all. :)

Hah!  No problem.

> redef restrict_filters += [ ["not-flux"] = "not net 155.98.32.0/20 and not net 155.98.60.0/22"];

One funny thing is that I was *really* surprised that this syntax works.  Normally I would surround the table values with curly braces like this…

redef restrict_filters += { ["not-flux"] = "not net 155.98.32.0/20 and not net 155.98.60.0/22" };

At some point we're really going to have to tighten up the language's use of curly braces and square brackets, there is still a lot of inconsistency floating around.

> SSH::Password_Guessing  Threshold crossed by metric_index(host=137.132.209.209) 30/30
> 
> from "137.132.209.209" pounding on the IP "155.98.35.7".

Are you seeing that address (155.98.35.7) in your conn.log?  I assume you are, but the metric based detection doesn't inherently indicate that.

> So I was thinking the filter should have dropped the traffic before the SSH connection got process or ever reached the detect-bruteforcing.bro script and not incremented the counter or kicked off the notice.

Yeah, I would think so too.

Could you send me the output from the packet_filter.log?  Feel free to send it off list if it has anything in it that you'd rather not broadcast publicly.

Thanks,
  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/





More information about the Bro mailing list