[Bro] BPF packet filter syntax
Seth Hall
seth at icir.org
Fri Aug 31 06:33:39 PDT 2012
On Aug 29, 2012, at 12:57 PM, Corey Roach (ISO) <Corey.Roach at utah.edu> wrote:
> So, it appears to possibly be a stand-alone vs cluster issue.
>
> Has any successfully applied a packet filter to a clustered environment? Did you have to make any other tweaks to get it to work?
After thinking about this for a couple of days, I'm starting to wonder if there is some problem with when this log write is happening. It's possible that the remote communication has not yet begun by the time the filter is being applied so the remote logging isn't happening right.
I'll try and carve out some time soon to look into it more closely though since it sounds like you were saying that the filter wasn't being applied at all since you were seeing traffic in your conn.log that you wouldn't expect to see.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Bro
mailing list