[Bro-Dev] [JIRA] (BIT-1478) BPF Filter for local.bro per activated log file

Johanna Amann (JIRA) jira at bro-tracker.atlassian.net
Thu Sep 17 15:26:00 PDT 2015

    [ https://bro-tracker.atlassian.net/browse/BIT-1478?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22107#comment-22107 ] 

Johanna Amann commented on BIT-1478:

Since this is not really a bug, but a question, the mailing list or irc are probably better suited for this question.

That being said, you can add bpf filters with the syntax described in https://www.bro.org/sphinx/scripts/base/frameworks/packet-filter/main.bro.html . The thread at http://comments.gmane.org/gmane.comp.security.detection.bro/4759 also has a few examples. There is no easy way to tell Bro to just allow traffic containing x509 certificates - you have to build the filter yourself, only allowing the hosts and services that have traffic containing x509 certificates. If using broctl, typically you would add the filter commands to local.bro or to a script that you load from local.bro -- it is discouraged to edit any scripts in base/ or policy/ yourself.

I will close this bug - like I said, if you have more questions the mailing list / irc chat will probably give you more replies.

> BPF Filter for local.bro per activated log file
> -----------------------------------------------
>                 Key: BIT-1478
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1478
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: 2.3, 2.4
>         Environment: linux, mac osx, 
>            Reporter: Lu Goon
>              Labels: analyzer,, ssl,, x509
> when activating the x509.log or bro script in local.bro, can I configure a BPF filter to only affect x509? For example I only want to have events that the dust_host is our DMZ subnet. Can I configure that in the x509.bro file or some other bro configuration file?

This message was sent by Atlassian JIRA

More information about the bro-dev mailing list