[Bro] BPF packet filter syntax
Corey Roach (ISO)
Corey.Roach at utah.edu
Wed Aug 29 09:57:43 PDT 2012
Hey Gang,
I still don't have this working properly, but I think I'm making progress and I've got it down to a repeatable test.
For testing I installed the latest pfring SVN and Bro v2.1-rc3 on an Ubuntu Server 12.04.1 VMware Fusion VM.
The only change I made to the plain-vanilla install is to add the following lines to the bottom of the local.bro:
redef PacketFilter::all_packets = F;
redef capture_filters = { ["all"] = "ip or not ip" };
redef restrict_filters += { ["not-one-host"] = "not host 10.10.10.1" };
redef restrict_filters += { ["not-one-net"] = "not net 10.10.20.0/24" };
I start it up, and the filter shows up properly in the packet_filter.log
I then change the node.cfg from stand-alone mode to a single box cluster (manager, proxy and worker all on the same box) and start it up again and nothing shows up in the packet_filter.log.
So, it appears to possibly be a stand-alone vs cluster issue.
Has any successfully applied a packet filter to a clustered environment? Did you have to make any other tweaks to get it to work?
- Corey
More information about the Bro
mailing list