[Bro-Dev] #482: Bro command line filter doesn't work anymore

Bro Tracker bro at tracker.bro-ids.org
Wed Jun 22 21:04:35 PDT 2011

#482: Bro command line filter doesn't work anymore
 Reporter:  gregor   |      Owner:
     Type:  Problem  |     Status:  new
 Priority:  Normal   |  Milestone:  Bro1.6
Component:  Bro      |    Version:  git/master
 Keywords:           |

 Setting a command-line filter with -f no longer works.

 The filter passed on the command line is used by
 build_default_pcap_filter(). Ultimately install_default_pcap_filter() is
 called is which then calls the BiF install_pcap_filter(). The problem is
 that install_pcap_filter() check's whether a filter was passed on the
 command line and if so, it refuses to set the filter. Thus the command
 line filter never gets set.

 I can fix this. However, I guess the question is: what is the best way to
 do this? In particular, the question is what kind of filters should be
 settable via the various interfaces? Right now bro supports:

   a) Command line. Override any other filter ever set (obviously this is
      currently broken)
   b) `all_packets=T` Bro sets a default filter that captures all packets
   c) `all_packets=F` Bro builds its default filter using capture_filter
      and restrict_filter (old behavior)
   d) a script can call the BiF install_pcap_filter so set any custom
 filter unless a command line filter is specified.

 * (a.), (b.), and (c.) are reflected by print-filter, but (d) isn't
 * "d" can override the default filter but not a command line
   specified filter.
 * "d" is used by load-level.
 * "a" is used by peer-status.bro, remote.bro, and remote-pcap.bro.
   I'm not sure what those scripts do and whether they might get
   confused if (d) is used.

 * When a PktSrc is instantiated the constructor receives a filter
   that the PktSrc compiles (at index 0) and then installs this
   filter. Currently, net_init() still sets this filter
   "tcp or icmp or udp"

 * When bro_init() is executed, pcap.bro will construct the default filter
   (a, b, or c) and then install it.


 * Should there be a function that returns the currently set
   filter, even if (d) is used? I think that would make sense.
 * I find the current way of setting filters confusing. Is there
   maybe a better way to set/use filter?
 * Then there's also the secondary path with its own filters. I
   don't know how they work exactly though.


 1) bro.bif stores a table matching filter index to filter
    strings and it remembers which filter index is currently set.
    Then it's easy to write a get_current_filter() BiF.

 2) Use filter index 0 for case (a). If there's such a filter, don't
    allow any other filter to be set.

    Use filter index 1 for case (b)

    Use filter index 2 for case (c)

    Use other filter indexes for other cases.

    Using install_pcap_filter() scripts could then even dynamically
    change between (b) and (c)

 I think (1) makes sense. Not sure whether (2) does.

 Thoughts? Comments?


Ticket URL: <http://tracker.bro-ids.org/bro/ticket/482>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker

More information about the bro-dev mailing list