[Bro] Trying to use different bpf filters on every worker
C. L. Martinez
carlopmart at gmail.com
Mon Feb 24 06:56:36 PST 2014
On Mon, Feb 24, 2014 at 2:22 PM, C. L. Martinez <carlopmart at gmail.com> wrote:
> On Mon, Feb 24, 2014 at 12:07 PM, C. L. Martinez <carlopmart at gmail.com> wrote:
>> Hi all,
>>
>> After installing my first bro cluster with one manager and three
>> workers, now I need to configure different bpf filters for every bro
>> worker.
>>
>> If I am not worng, I need to put an entry like this:
>>
>> redef cmd_line_bpf_filter = "ip and port 80 or port 443"; (for example)
>>
>> under local.bro file on every worker node. Is this correct for Bro 2.2??
>>
>> Thanks.
>
> Oops, my mistake. I have modified local.bro in one of the workers:
>
> ##! Local site policy. Customize as appropriate.
> ##!
> ##! This file will not be overwritten when upgrading or reinstalling!
>
> redef PacketFilter::enable_auto_protocol_capture_filters = F;
> redef capture_filters = { ["all"] = "ip or not ip" };
> redef restrict_filters = { ["not-hosts"] = "not host 10.10.1.15" };
>
> but it doesn't works:
>
> [BroControl] > print restrict_filters
> manager restrict_filters = {
>
> }
> proxy-1 restrict_filters = {
>
> }
> worker-1 restrict_filters = {
>
> }
> [BroControl] >
>
> What am I doing wrong??
Uhmm ok, doing same config using local-worker.bro file, it works:
[BroControl] > print restrict_filters
manager restrict_filters = {
}
proxy-1 restrict_filters = {
}
worker-1 restrict_filters = {
[not-hosts] = not host 10.196.0.15
}
Then, how can I discriminate by worker and assign a different bpf
filter to each one??
More information about the Bro
mailing list