[Bro] Bro Digest, Vol 101, Issue 4

pooja champaneria pooh_champ19 at yahoo.com
Wed Sep 3 23:52:32 PDT 2014

Respected sir,

I have just started using bro Ids. I am going through your tutorials to learn bro. When i run the command thats shows the connections which lasts more than 60secs it gave me absolutely correct result.Now i want to see all the connections that takes place.How can i implement that.Also i am unaware of how to use policy script.Suggest me the solution and resources which help me get learn bro faster.
Reply awaited.

On Thursday, September 4, 2014 12:31 AM, "bro-request at bro.org" <bro-request at bro.org> wrote:

Send Bro mailing list submissions to
    bro at bro.org

To subscribe or unsubscribe via the World Wide Web, visit
or, via email, send a message with subject or body 'help' to
    bro-request at bro.org

You can reach the person managing the list at
    bro-owner at bro.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Bro digest..."

Today's Topics:

   1. Re: Adding options to bro managed by broctl (inetjunkmail)


Message: 1
Date: Wed, 3 Sep 2014 13:14:16 -0400
From: inetjunkmail <inetjunkmail at gmail.com>
Subject: Re: [Bro] Adding options to bro managed by broctl
To: Seth Hall <seth at icir.org>
Cc: bro at bro.org
    <CAAJ38WWuRyX0HTyNY11Q00KpEroHEr1_Y4OX4hPE+YGnn_GAKg at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"


Thanks for the direction.  We ended up leveraging the capture_filter as you
described.  Our traffic is MPLS so the capture filter is a little more
complicated but we've got it working well.  If anyone else needs it, here's
what we've done to use capture_filters in an MPLS environment.  We have
anywhere from 0-2 MPLS labels on our traffic so:

redef capture_filters += { ["inet_fltr"] = "(net or port 443) or
(mpls and (net or port 443)) or (mpls and mpls and (net or port 443))" };

There may be some better way to recursively pop any number of MPLS labels
but this seems to work ok in our environment.

Ultimately, we intend to have our tap aggregator pop the MPLS labels and
apply any necessary filters but MPLS label popping is only roadmapped at
this point on our tool.


On Sun, Aug 31, 2014 at 12:07 PM, Seth Hall <seth at icir.org> wrote:

> On Aug 28, 2014, at 11:07 AM, James Lay <jlay at slave-tothe-box.net> wrote:
> > broargs = -f 'net or port 443'
> >
> > to your broctl.cfg file.
> That will work, but technically it might be a bit better to do something
> like this...
> redef capture_filters += {
>         ["watched network"] = "net",
>         ["https"] = "port 443"
> };
> If you build up what you want to capture this way it gives Bro the chance
> to automatically build your BPF filters for you, including checking each
> component of your filter for mistakes which it will then detect at startup
> and tell you which component of your filter failed.  If you use the above
> lines to indicate the traffic you'd like to allow into Bro, you can also
> set restriction filters to limit something a bit.  For instance, in that
> subnet you might want to ignore a single host.  You could
> implement that by adding the following lines...
> redef restrict_filters += {
>         ["unmonitored host"] = "host"
> };
> The filter that would ultimately be constructed by those lines is...
>         ((port 443) or (net and (host
> One thing to be careful with this though is that generally when you take
> the stance that you are doing filtering you have to be really careful to
> understand your traffic.  If you have any traffic with MPLS or VLAN tags,
> the filters I gave won't allow that traffic through.  If you're interested
> in doing ARP analysis you won't see those packets either.  Same goes for
> IPv6.
> Filtering is an area where we've tried to make things simple by running a
> fully open filter, there are a lot of dragons when you stray from that
> path. :)
>   .Seth
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140903/39d1f5e1/attachment-0001.html 


Bro mailing list
Bro at bro.org

End of Bro Digest, Vol 101, Issue 4
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140903/1349d9cf/attachment.html 

More information about the Bro mailing list