[Bro] BPF Filter Help

DJ Root dj.root at netronome.com
Mon Feb 9 08:49:24 PST 2015


What you describe here is a fairly straightforward match/action rule - in your case you want perform some action when you receive dst host / dst port 53 / src host X / src port Y traffic - right?  This operation can be done on an intelligent NIC card without any interaction with Bro (or BPF for that matter).  

If you would like more information on how we could help solve this problem, please email me privately.

DJ Root
> On Feb 9, 2015, at 9:19 AM, Seth Hall <seth at icir.org> wrote:
>> On Feb 8, 2015, at 7:53 PM, Adam Hall <abhall1 at yahoo.com> wrote:
>> 1423442632.139980       bro     (ip or not ip) and (not (dst host and dst port 53))   T       T
>> The only way I have been able to successfully get this to work is by defining only "host" or "port", I have not been able to get this to be successful using a "src host", "dst host", "src port", or "dst port".
>> This creates a problem to the point it's almost unusable to me as I cannot ignore all traffic for "host and port 53".
> It’s unlikely that you are ever going to want to use the “src” or “dst” modifiers in filters meant for Bro.  Bro is intended to look at both directions of traffic to successfully analyze connections and you are intrinsically breaking that when you use src or dst.
> What is the end result you’re trying to get to?  You just don’t want to see dns traffic involving host
> The problem here is that there is a disjoint in the semantics of BPF and the typical semantics of Bro.  Bro operates on connections (and flows to a slightly lesser degree currently).  BPF is completely oriented around packets.  It causes these little confusions unfortunately.
>  .Seth
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list