[Bro] BPF Filter Help
dj.root at netronome.com
Mon Feb 9 10:20:36 PST 2015
No, there is not. However, I come from the vendor side and, therefore, don’t want to disrupt the integrity of a technology mailing list. That said we have Bro running in our lab, so our claims can be supported by real data and demos.
As far as the question below is concerned, we (Netronome) have intelligent NICs and software to do match / action operations in hardware. We can set-up 5-tuple filtering in hardware which can address Adam’s problem. Result - BPF is off-loaded from the CPU; Bro is not changed, but now has more CPU cycles to process flows.
Director of Sales, Americas East and EMEA
> On Feb 9, 2015, at 11:57 AM, Michał Purzyński <michalpurzynski1 at gmail.com> wrote:
> Is there any reason why you cannot share this kind of information on
> the list, so everyone can benefit?
> Looks like man ethtool, right?
> On Mon, Feb 9, 2015 at 5:49 PM, DJ Root <dj.root at netronome.com> wrote:
>> What you describe here is a fairly straightforward match/action rule - in your case you want perform some action when you receive dst host 10.8.0.56 / dst port 53 / src host X / src port Y traffic - right? This operation can be done on an intelligent NIC card without any interaction with Bro (or BPF for that matter).
>> If you would like more information on how we could help solve this problem, please email me privately.
>> DJ Root
>>> On Feb 9, 2015, at 9:19 AM, Seth Hall <seth at icir.org> wrote:
>>>> On Feb 8, 2015, at 7:53 PM, Adam Hall <abhall1 at yahoo.com> wrote:
>>>> 1423442632.139980 bro (ip or not ip) and (not (dst host 10.8.0.85 and dst port 53)) T T
>>>> The only way I have been able to successfully get this to work is by defining only "host" or "port", I have not been able to get this to be successful using a "src host", "dst host", "src port", or "dst port".
>>>> This creates a problem to the point it's almost unusable to me as I cannot ignore all traffic for "host 10.8.0.85 and port 53".
>>> It’s unlikely that you are ever going to want to use the “src” or “dst” modifiers in filters meant for Bro. Bro is intended to look at both directions of traffic to successfully analyze connections and you are intrinsically breaking that when you use src or dst.
>>> What is the end result you’re trying to get to? You just don’t want to see dns traffic involving host 10.8.0.85?
>>> The problem here is that there is a disjoint in the semantics of BPF and the typical semantics of Bro. Bro operates on connections (and flows to a slightly lesser degree currently). BPF is completely oriented around packets. It causes these little confusions unfortunately.
>>> Seth Hall
>>> International Computer Science Institute
>>> (Bro) because everyone has a network
>>> Bro mailing list
>>> bro at bro-ids.org
>> Bro mailing list
>> bro at bro-ids.org
More information about the Bro