[Bro] BPF packet filter syntax

Tyler T. Schoenke tyler.schoenke at colorado.edu
Wed Aug 29 10:08:19 PDT 2012


You can run broctl print capture_filters or broctl print
restrict_filters to see which filters are being loaded by the cluster.
 I never thought to check my packet_filter* log files, but looked and
they are empty even though the filters are running.

Tyler

--
Tyler Schoenke
Network Security Manager
IT Security Office
University of Colorado at Boulder

On 8/29/12 10:57 AM, Corey Roach (ISO) wrote:
> Hey Gang,
> 
> I still don't have this working properly, but I think I'm making progress and I've got it down to a repeatable test.
> 
> For testing I installed the latest pfring SVN and Bro v2.1-rc3 on an Ubuntu Server 12.04.1 VMware Fusion VM.
> 
> The only change I made to the plain-vanilla install is to add the following lines to the bottom of the local.bro:
> 
> redef PacketFilter::all_packets = F;
> redef capture_filters = { ["all"] = "ip or not ip" };
> redef restrict_filters += { ["not-one-host"] = "not host 10.10.10.1" };
> redef restrict_filters += { ["not-one-net"] = "not net 10.10.20.0/24" };
> 
> I start it up, and the filter shows up properly in the packet_filter.log
> 
> I then change the node.cfg from stand-alone mode to a single box cluster (manager, proxy and worker all on the same box) and start it up again and nothing shows up in the packet_filter.log.
> 
> So, it appears to possibly be a stand-alone vs cluster issue.
> 
> Has any successfully applied a packet filter to a clustered environment? Did you have to make any other tweaks to get it to work?
> 
> - Corey
> 
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> 
> 



More information about the Bro mailing list