[Bro-Dev] #482: Bro command line filter doesn't work anymore
bro at tracker.bro-ids.org
Wed Jun 22 21:04:35 PDT 2011
#482: Bro command line filter doesn't work anymore
Reporter: gregor | Owner:
Type: Problem | Status: new
Priority: Normal | Milestone: Bro1.6
Component: Bro | Version: git/master
Setting a command-line filter with -f no longer works.
The filter passed on the command line is used by
build_default_pcap_filter(). Ultimately install_default_pcap_filter() is
called is which then calls the BiF install_pcap_filter(). The problem is
that install_pcap_filter() check's whether a filter was passed on the
command line and if so, it refuses to set the filter. Thus the command
line filter never gets set.
I can fix this. However, I guess the question is: what is the best way to
do this? In particular, the question is what kind of filters should be
settable via the various interfaces? Right now bro supports:
a) Command line. Override any other filter ever set (obviously this is
b) `all_packets=T` Bro sets a default filter that captures all packets
c) `all_packets=F` Bro builds its default filter using capture_filter
and restrict_filter (old behavior)
d) a script can call the BiF install_pcap_filter so set any custom
filter unless a command line filter is specified.
* (a.), (b.), and (c.) are reflected by print-filter, but (d) isn't
* "d" can override the default filter but not a command line
* "d" is used by load-level.
* "a" is used by peer-status.bro, remote.bro, and remote-pcap.bro.
I'm not sure what those scripts do and whether they might get
confused if (d) is used.
* When a PktSrc is instantiated the constructor receives a filter
that the PktSrc compiles (at index 0) and then installs this
filter. Currently, net_init() still sets this filter
"tcp or icmp or udp"
* When bro_init() is executed, pcap.bro will construct the default filter
(a, b, or c) and then install it.
* Should there be a function that returns the currently set
filter, even if (d) is used? I think that would make sense.
* I find the current way of setting filters confusing. Is there
maybe a better way to set/use filter?
* Then there's also the secondary path with its own filters. I
don't know how they work exactly though.
1) bro.bif stores a table matching filter index to filter
strings and it remembers which filter index is currently set.
Then it's easy to write a get_current_filter() BiF.
2) Use filter index 0 for case (a). If there's such a filter, don't
allow any other filter to be set.
Use filter index 1 for case (b)
Use filter index 2 for case (c)
Use other filter indexes for other cases.
Using install_pcap_filter() scripts could then even dynamically
change between (b) and (c)
I think (1) makes sense. Not sure whether (2) does.
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/482>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
More information about the bro-dev