[Bro] [security-onion] Re: Some BPF love....

Doug Burks doug.burks at gmail.com
Thu Aug 9 08:33:27 PDT 2012


Thanks for finding this documentation bug!  It is now fixed.

If I understand Seth correctly, we won't have to do this anymore in
Bro 2.1 since it will just read our existing bpf.conf.

Thanks,
Doug

On Thu, Aug 9, 2012 at 11:26 AM, Tom OBrion <hammadog at gmail.com> wrote:
> Hey Tyler
>
> Thanks, I was updating it in the spool folder based on the DOC I was
> reading out on the SO groups site.  I thought it was wierd that I
> update in the spool location and not the share location.  Maybe I was
> just reading it wrong in the DOC.  I have been known to skin reading
> and not completely reading it fully.  :)  Anyway, made the updates in
> the location you mentioned and it seems to be working.  I am not using
> your syntax though, I am using this:
>
> redef cmd_line_bpf_filter = "not (host x.x.x.x)";
>
> Worked like a champ.  Now I will tweak to include dest port and should
> be good to go.  Thanks man.  Got me on the right track!
>
> Tom
>
> On Thu, Aug 9, 2012 at 10:38 AM, Tyler T. Schoenke
> <tyler.schoenke at colorado.edu> wrote:
>> I've only briefly tested SecurityOnion, but in vanilla Bro, you would
>> add something like this to local.bro.  That file is located under
>> $BROHOME/share/bro/site.
>>
>> redef restrict_filters += { ["host exemptions"] = "not (host 4.2.2.2)" };
>>
>> I don't know SecuritiyOnion's layout, but I don't think you want to add
>> it under spool.  That is typically where runtime files are created.
>>
>> Tyler
>>
>> --
>> Tyler Schoenke
>> Network Security Manager
>> IT Security Office
>> University of Colorado at Boulder
>>
>> On 8/8/12 9:38 AM, Tom OBrion wrote:
>>> Sent this off to the SecurityOnion group, but probably should have
>>> sent it here.   Oopsy!
>>>
>>> Anyway
>>>
>>> Please....I know I must be doing something noobish...but man, I have
>>> tried it 15 ways to Sunday and no love.
>>>
>>> editing:  /nsm/bro/spool/policy/site/local.bro
>>>
>>> added "redef cmd_line_bpf_filter = "not src host ipaddress";
>>>
>>> I want to tweak a tad more based on dst port, but need to at least get
>>> the filter working for the IP.
>>>
>>> I then do a check/install/restart
>>>
>>> I watch BRO dns.log for the for the IP I added and she shows up.  What
>>> the heck am I missing?
>>>
>>> Any help much appreciated.
>>>
>>>
>
>
>
> --
> Tom O'Brion
> @tobrion
>
> "Life is too short to spend time with people who suck the happy out of you."
>
> --
>
>



-- 
Doug Burks
http://securityonion.blogspot.com



More information about the Bro mailing list