[Bro] Bro restrict filters question

Edgmand, Craig craig.edgmand at okstate.edu
Tue Jun 13 12:05:29 PDT 2017

Oddly enough it works with tcpdump but not with Bro.  

-----Original Message-----
From: Azoff, Justin S [mailto:jazoff at illinois.edu] 
Sent: Tuesday, June 13, 2017 10:13 AM
To: Edgmand, Craig <craig.edgmand at okstate.edu>
Cc: bro at bro.org
Subject: Re: [Bro] Bro restrict filters question

> On Jun 13, 2017, at 10:59 AM, Edgmand, Craig <craig.edgmand at okstate.edu> wrote:
> Hello,
> I am running Bro 2.5 and I am trying to set up some restrict_filters to drop certain hosts and types of traffic.
> I have the following entries in my local.bro..
> redef PacketFilter::enable_auto_protocol_capture_filters = F; redef 
> capture_filters = { ["packets-like-this"] = "ip or not ip" }; redef 
> restrict_filters = { ["no-data-like-this"] = "not host" };
> I had something similar in earlier versions of Bro that seemed to work but this doesn’t work at all. 
> When I run ./broctl print restrict_filters  it shows that the workers have that filter.
> Any ideas?

Is your traffic vlan tagged? You may need to use

redef restrict_filters = { ["no-data-like-this"] = "vlan and not host" };

- Justin Azoff

More information about the Bro mailing list