[Bro] BPF packet filter syntax
Corey Roach (ISO)
Corey.Roach at utah.edu
Mon Aug 27 15:41:48 PDT 2012
Before I go dive into source I thought I'd throw a quick question to the group.
Can you use the entire BPF syntax (things other than just "host") when building a Bro filter?
For example, I've got something like this in my local.bro:
redef PacketFilter::all_packets = F;
redef capture_filters = [[ "all"] = "ip or not ip"];
redef restrict_filters += [ ["not-one-host"] = "not host 10.10.1.1"];
redef restrict_filters += [ ["not-two-hosts"] = "not host 10.20.1.1 and not host 10.30.1.1"];
redef restrict_filters += [ ["not-one-net"] = "not net 10.40.1.192/26"];
redef restrict_filters += [ ["not-two-nets"] = "not net 10.50.1.0/20 and not net 10.60.1.0/22"];
But it seems that the "10.50.1.0/20" network is still leaking in traffic?
Ultimately I'd like to eliminate the traffic at my upstream device, but in the mean time, does anyone see something I'm doing obviously wrong?
Thanks,
Corey
More information about the Bro
mailing list