[Bro] Adding options to bro managed by broctl

inetjunkmail inetjunkmail at gmail.com
Wed Sep 3 10:14:16 PDT 2014 

Seth:

Thanks for the direction.  We ended up leveraging the capture_filter as you
described.  Our traffic is MPLS so the capture filter is a little more
complicated but we've got it working well.  If anyone else needs it, here's
what we've done to use capture_filters in an MPLS environment.  We have
anywhere from 0-2 MPLS labels on our traffic so:

redef capture_filters += { ["inet_fltr"] = "(net 1.0.0.0/24 or port 443) or
(mpls and (net 1.0.0.0/24 or port 443)) or (mpls and mpls and (net
1.0.0.0/24 or port 443))" };

There may be some better way to recursively pop any number of MPLS labels
but this seems to work ok in our environment.

Ultimately, we intend to have our tap aggregator pop the MPLS labels and
apply any necessary filters but MPLS label popping is only roadmapped at
this point on our tool.

Thanks


On Sun, Aug 31, 2014 at 12:07 PM, Seth Hall <seth at icir.org> wrote:

>
> On Aug 28, 2014, at 11:07 AM, James Lay <jlay at slave-tothe-box.net> wrote:
>
> > broargs = -f 'net 1.0.0.0/24 or port 443'
> >
> > to your broctl.cfg file.
>
> That will work, but technically it might be a bit better to do something
> like this...
>
> redef capture_filters += {
>         ["watched network"] = "net 1.0.0.0/24",
>         ["https"] = "port 443"
> };
>
> If you build up what you want to capture this way it gives Bro the chance
> to automatically build your BPF filters for you, including checking each
> component of your filter for mistakes which it will then detect at startup
> and tell you which component of your filter failed.  If you use the above
> lines to indicate the traffic you'd like to allow into Bro, you can also
> set restriction filters to limit something a bit.  For instance, in that
> 1.0.0.0/24 subnet you might want to ignore a single host.  You could
> implement that by adding the following lines...
>
> redef restrict_filters += {
>         ["unmonitored host"] = "host 1.0.0.54"
> };
>
> The filter that would ultimately be constructed by those lines is...
>         ((port 443) or (net 1.0.0.0/24)) and (host 1.0.0.54)
>
> One thing to be careful with this though is that generally when you take
> the stance that you are doing filtering you have to be really careful to
> understand your traffic.  If you have any traffic with MPLS or VLAN tags,
> the filters I gave won't allow that traffic through.  If you're interested
> in doing ARP analysis you won't see those packets either.  Same goes for
> IPv6.
>
> Filtering is an area where we've tried to make things simple by running a
> fully open filter, there are a lot of dragons when you stray from that
> path. :)
>
>   .Seth
>
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140903/39d1f5e1/attachment.html

More information about the Bro mailing list