[Bro] PacketFilter

Dave Crawford bro at pingtrip.com
Sat Mar 18 10:07:39 PDT 2017


I'm attemtpting to impement a packet filter to drop multicast traffic but I’m not having success.

This is what I have in local.bro:

@load base/frameworks/packet-filter
redef capture_filters += {
    ["ip"] = "ip",
    ["non-ip"] = "not ip"
};

redef restrict_filters += { ["not-multicast"] = "net 224.0.0.0/4" };

Which according to the FAQ (https://www.bro.org/documentation/faq.html) should produce a BPF like:

((ip) or (not ip)) and (not net 224.0.0.0/4)

But I'm still seeing multicast in the conn log:

1489855468.534667   CM5Ehj4nefU23EOeyj  192.168.20.8    41340   239.254.127.63  60000   udp

It looks like the filters are being implemented:

[BroControl] > print capture_filters
     ext-1   capture_filters = {
    [non-ip] = not ip,
    [ip] = ip
}
<snip>

[BroControl] > print restrict_filters
     ext-1   restrict_filters = {
    [not-multicast] = net 224.0.0.0/4
}
<snip>

Am I missing a step?

-Dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170318/64b1b596/attachment.html 


More information about the Bro mailing list