[Bro] Adding options to bro managed by broctl
Seth Hall
seth at icir.org
Sun Aug 31 09:07:55 PDT 2014
On Aug 28, 2014, at 11:07 AM, James Lay <jlay at slave-tothe-box.net> wrote:
> broargs = -f 'net 1.0.0.0/24 or port 443'
>
> to your broctl.cfg file.
That will work, but technically it might be a bit better to do something like this...
redef capture_filters += {
["watched network"] = "net 1.0.0.0/24",
["https"] = "port 443"
};
If you build up what you want to capture this way it gives Bro the chance to automatically build your BPF filters for you, including checking each component of your filter for mistakes which it will then detect at startup and tell you which component of your filter failed. If you use the above lines to indicate the traffic you'd like to allow into Bro, you can also set restriction filters to limit something a bit. For instance, in that 1.0.0.0/24 subnet you might want to ignore a single host. You could implement that by adding the following lines...
redef restrict_filters += {
["unmonitored host"] = "host 1.0.0.54"
};
The filter that would ultimately be constructed by those lines is...
((port 443) or (net 1.0.0.0/24)) and (host 1.0.0.54)
�
One thing to be careful with this though is that generally when you take the stance that you are doing filtering you have to be really careful to understand your traffic. If you have any traffic with MPLS or VLAN tags, the filters I gave won't allow that traffic through. If you're interested in doing ARP analysis you won't see those packets either. Same goes for IPv6.
Filtering is an area where we've tried to make things simple by running a fully open filter, there are a lot of dragons when you stray from that path. :)
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140831/093fafd2/attachment.bin
More information about the Bro
mailing list