[Bro] BPF packet filter syntax
Seth Hall
seth at icir.org
Mon Aug 27 19:39:17 PDT 2012
On Aug 27, 2012, at 6:41 PM, Corey Roach (ISO) <Corey.Roach at utah.edu> wrote:
> redef restrict_filters += [ ["not-two-nets"] = "not net 10.50.1.0/20 and not net 10.60.1.0/22"];
I'm surprised that Bro is starting up for you. When I try running with these lines I get a message about a bad filter. The line that I left above doesn't work as a valid BPF filter, there are network bits beyond the netmask which BPF doesn't seem to like.
I think the CIDRs you meant to use are:
10.50.0.0/20
10.60.0.0/11
So use this instead:
redef restrict_filters += { ["not-two-nets"] = "not net 10.50.0.0/20 and not net 10.60.0.0/22" };
> Ultimately I'd like to eliminate the traffic at my upstream device, but in the mean time, does anyone see something I'm doing obviously wrong?
Once again, I'd like to apologize to everyone for not getting the rewritten packet filter framework into 2.1. This will be so much easier when that's finally included (the worst part is that it's already done!).
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Bro
mailing list