[Bro] Some BPF love....

Tom OBrion hammadog at gmail.com
Thu Aug 9 08:26:38 PDT 2012 

Hey Tyler

Thanks, I was updating it in the spool folder based on the DOC I was
reading out on the SO groups site.  I thought it was wierd that I
update in the spool location and not the share location.  Maybe I was
just reading it wrong in the DOC.  I have been known to skin reading
and not completely reading it fully.  :)  Anyway, made the updates in
the location you mentioned and it seems to be working.  I am not using
your syntax though, I am using this:

redef cmd_line_bpf_filter = "not (host x.x.x.x)";

Worked like a champ.  Now I will tweak to include dest port and should
be good to go.  Thanks man.  Got me on the right track!

Tom

On Thu, Aug 9, 2012 at 10:38 AM, Tyler T. Schoenke
<tyler.schoenke at colorado.edu> wrote:
> I've only briefly tested SecurityOnion, but in vanilla Bro, you would
> add something like this to local.bro.  That file is located under
> $BROHOME/share/bro/site.
>
> redef restrict_filters += { ["host exemptions"] = "not (host 4.2.2.2)" };
>
> I don't know SecuritiyOnion's layout, but I don't think you want to add
> it under spool.  That is typically where runtime files are created.
>
> Tyler
>
> --
> Tyler Schoenke
> Network Security Manager
> IT Security Office
> University of Colorado at Boulder
>
> On 8/8/12 9:38 AM, Tom OBrion wrote:
>> Sent this off to the SecurityOnion group, but probably should have
>> sent it here.   Oopsy!
>>
>> Anyway
>>
>> Please....I know I must be doing something noobish...but man, I have
>> tried it 15 ways to Sunday and no love.
>>
>> editing:  /nsm/bro/spool/policy/site/local.bro
>>
>> added "redef cmd_line_bpf_filter = "not src host ipaddress";
>>
>> I want to tweak a tad more based on dst port, but need to at least get
>> the filter working for the IP.
>>
>> I then do a check/install/restart
>>
>> I watch BRO dns.log for the for the IP I added and she shows up.  What
>> the heck am I missing?
>>
>> Any help much appreciated.
>>
>>



-- 
Tom O'Brion
@tobrion

"Life is too short to spend time with people who suck the happy out of you."

More information about the Bro mailing list