Dave Crawford bro at pingtrip.com
Sat Mar 18 10:07:39 PDT 2017

I'm attemtpting to impement a packet filter to drop multicast traffic but I’m not having success.

This is what I have in local.bro:

@load base/frameworks/packet-filter
redef capture_filters += {
    ["ip"] = "ip",
    ["non-ip"] = "not ip"

redef restrict_filters += { ["not-multicast"] = "net" };

Which according to the FAQ (https://www.bro.org/documentation/faq.html) should produce a BPF like:

((ip) or (not ip)) and (not net

But I'm still seeing multicast in the conn log:

1489855468.534667   CM5Ehj4nefU23EOeyj    41340  60000   udp

It looks like the filters are being implemented:

[BroControl] > print capture_filters
     ext-1   capture_filters = {
    [non-ip] = not ip,
    [ip] = ip

[BroControl] > print restrict_filters
     ext-1   restrict_filters = {
    [not-multicast] = net

Am I missing a step?

