[Bro] restrict_filters not preventing logging of selected IP addresses
Richard Johnson
rdump at river.com
Sun Apr 19 11:25:09 PDT 2015
I think I'm specifying restrict_filters correctly to stop some hosts from
being logged, but it's not working as I intend/expect.
My local.bro redefinition of restrict_filters (below) is being recognized and
propagated by broctl install, as confirmed by print restrict_filters after
restarting.
As further confirmation that the redef is being noticed, if I specify a pcap
syntax impossibility in restrict_filters, I get workers quitting with
"fatal error in /raid/bro/share/bro/base/frameworks/packet-filter/./main.bro,
line 282: Bad pcap filter ..." on a restart.
Yet when the restrict_filter is OK and is seemingly recognized, the IP
addresses in the restrict_filters still appear in log entries.
This logging continues after a broctl install and update, after a broctl
install and restart, as well as after a complete cluster reboot.
I'm seeing this under Bro 2.3-7 on CentOS 6.5 with pfring. Whether the
capture_filters are redef'ed as shown in the details below, or not, doesn't
change the restrict_filters failure I'm seeing.
Any ideas for where to take this debugging odyssey? What am I missing that's
obvious?
Richard
-------
Details:
[manager-host ~]$ grep capture_filters /raid/bro/share/bro/site/local.bro
redef capture_filters = { ["all"] = "ip or not ip" };
[manager-host ~]$ grep restrict_filters /raid/bro/share/bro/site/local.bro
redef restrict_filters += { ["not-these-hosts"] = "not host 172.16.1.1 and not
host 172.16.22.22 and not host 172.16.39.39 and not host 172.16.88.88" };
[lines condensed for this message by removing extra pretty printing <cr>s]
[BroControl] > print capture_filters
manager capture_filters = { [all] = ip or not ip }
proxy-1 capture_filters = { [all] = ip or not ip }
proxy-2 capture_filters = { [all] = ip or not ip }
worker-1-1 capture_filters = { [all] = ip or not ip }
worker-1-2 capture_filters = { [all] = ip or not ip }
worker-1-3 capture_filters = { [all] = ip or not ip }
worker-1-4 capture_filters = { [all] = ip or not ip }
worker-2-1 capture_filters = { [all] = ip or not ip }
worker-2-2 capture_filters = { [all] = ip or not ip }
worker-2-3 capture_filters = { [all] = ip or not ip }
worker-2-4 capture_filters = { [all] = ip or not ip }
[lines condensed for this message by removing extra pretty printing <cr>s]
[BroControl] > print restrict_filters
manager restrict_filters = { [not-these-hosts] = not host 172.16.1.1
and not host 172.16.22.22 and not host 172.16.39.39 and not host 172.16.88.88 }
proxy-1 restrict_filters = { [not-these-hosts] = not host 172.16.1.1
and not host 172.16.22.22 and not host 172.16.39.39 and not host 172.16.88.88 }
proxy-2 restrict_filters = { [not-these-hosts] = not host 172.16.1.1
and not host 172.16.22.22 and not host 172.16.39.39 and not host 172.16.88.88 }
worker-1-1 restrict_filters = { [not-these-hosts] = not host 172.16.1.1
and not host 172.16.22.22 and not host 172.16.39.39 and not host 172.16.88.88 }
worker-1-2 restrict_filters = { [not-these-hosts] = not host 172.16.1.1
and not host 172.16.22.22 and not host 172.16.39.39 and not host 172.16.88.88 }
worker-1-3 restrict_filters = { [not-these-hosts] = not host 172.16.1.1
and not host 172.16.22.22 and not host 172.16.39.39 and not host 172.16.88.88 }
worker-1-4 restrict_filters = { [not-these-hosts] = not host 172.16.1.1
and not host 172.16.22.22 and not host 172.16.39.39 and not host 172.16.88.88 }
worker-2-1 restrict_filters = { [not-these-hosts] = not host 172.16.1.1
and not host 172.16.22.22 and not host 172.16.39.39 and not host 172.16.88.88 }
worker-2-2 restrict_filters = { [not-these-hosts] = not host 172.16.1.1
and not host 172.16.22.22 and not host 172.16.39.39 and not host 172.16.88.88 }
worker-2-3 restrict_filters = { [not-these-hosts] = not host 172.16.1.1
and not host 172.16.22.22 and not host 172.16.39.39 and not host 172.16.88.88 }
worker-2-4 restrict_filters = { [not-these-hosts] = not host 172.16.1.1
and not host 172.16.22.22 and not host 172.16.39.39 and not host 172.16.88.88 }
[manager-host current]$ grep 172.16.88.88 conn.log | tail -3
1429461245.805348 CpuepS3Ds2GYzABCtb xx.xx.xx.xx xxxxx
172.16.88.88 443 tcp ssl 4192.655995 14660 16441 S1
F 0ShADda 50 17268 49 19001 (empty)
1429464730.699197 CqVMY53iVvTFSWclAi xx.xx.xx.xx xxxxx
172.16.88.88 443 tcp ssl 1002.988461 5491 4481 SF
F 0ShADdaFf 21 6591 17 5377 (empty)
1429464286.982078 CUl3Cl24bUWkgbhAGd xx.xx.xx.xx xxxxx
172.16.88.88 443 tcp ssl 1447.315821 7095 5595 SF
F 0ShADdafF 25 8403 21 6699 (empty)
More information about the Bro
mailing list