[Bro] Problem changing restrict_filters

sangdrax8 sangdrax8 at gmail.com
Mon Feb 3 11:14:30 PST 2014 

I think I have the issue resolved, but I can't give more than a guess as to
what was wrong.  After not being able to update this I decided to delete
one worker node and just completely re-install it.  After doing this, it
still returned the same restrict_filter (which it shouldn't have ever seen
before).

I noticed that even after stopping the process through broctl, there was
still multiple processes running on the node.  I rebooted the machine, and
installed a second time. This time everything seems to be working as
expected.

My only guess is that it might have something to do with trying to do an
update rather than a restart.  The first time I attempted this, I did an
install to push the change and then an update.  That didn't appear to work
so I tried restarting.  After I rebooted my node I have always just been
doing install followed by a restart to pull in the changes.  Since doing
this my changes seem to apply correctly.

Wish I had something more definitive, but maybe it will save someone some
time.


On Mon, Feb 3, 2014 at 12:37 PM, sangdrax8 <sangdrax8 at gmail.com> wrote:

> I am having an issue with changing my restrict_filters that I setup a
> while back.  I don't know if I am just forgetting how this works, but if
> someone can help me out here it would be much appreciated.
>
> Previously I had added a section to my local.bro file to restrict the
> traffic some of my nodes are seeing.  I used the following syntax with some
> dummy IP's for an example:
>
> const idsvm4_hosts = "192.168.0.1 or 192.168.0.2";
>
> redef PacketFilter::enable_auto_protocol_capture_filters = T;
> redef capture_filters = { ["all"] = "ip or not ip" };
> redef restrict_filters = { ["local-src"] = "src host ("+idsvm4_hosts+")"
>  };
> redef restrict_filters += { ["local-dst"] = "dst host ("+idsvm4_hosts+")"
>  };
>
> When I did this, I could use the print command in broctl to see that it
> was in fact working as expected. (print restrict_filters idsvm4)
>
> Now I am trying to change this list, and so I have edited the const I
> declared previously.  I added a few hosts to idsvm4_hosts, and I did an
> install and restart.  When I run the same print, I get back the original
> restrict_filters.  It looks like the node keeps the old one.
>
> while troubleshooting this I have gone as far as to completely remove all
> my code about packet filters.  I issued an install, and restarted the
> entire cluster.  Still the print statement returns with the ORIGINAL
> restrict_filters I set a few months ago.  I feel like I must be missing
> something here, but I just can't remember what I did.  I know I made this
> variable so that in the future I could easily update it, but here I am
> trying to update it with no success.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140203/78a7734e/attachment.html

More information about the Bro mailing list