[Bro] restrict_filters not preventing logging of selected IP addresses

Richard Johnson rdump at river.com
Sun Apr 19 11:25:09 PDT 2015 

I think I'm specifying restrict_filters correctly to stop some hosts from 
being logged, but it's not working as I intend/expect.

My local.bro redefinition of restrict_filters (below) is being recognized and 
propagated by broctl install, as confirmed by print restrict_filters after 
restarting.

As further confirmation that the redef is being noticed, if I specify a pcap 
syntax impossibility in restrict_filters, I get workers quitting with
"fatal error in /raid/bro/share/bro/base/frameworks/packet-filter/./main.bro,
line 282: Bad pcap filter ..." on a restart.

Yet when the restrict_filter is OK and is seemingly recognized, the IP 
addresses in the restrict_filters still appear in log entries.

This logging continues after a broctl install and update, after a broctl 
install and restart, as well as after a complete cluster reboot.

I'm seeing this under Bro 2.3-7 on CentOS 6.5 with pfring.  Whether the 
capture_filters are redef'ed as shown in the details below, or not, doesn't 
change the restrict_filters failure I'm seeing.

Any ideas for where to take this debugging odyssey?  What am I missing that's 
obvious?


Richard

-------
Details:

[manager-host ~]$ grep capture_filters /raid/bro/share/bro/site/local.bro
redef capture_filters = { ["all"] = "ip or not ip" };
[manager-host ~]$ grep restrict_filters /raid/bro/share/bro/site/local.bro
redef restrict_filters += { ["not-these-hosts"] = "not host 172.16.1.1 and not 
host 172.16.22.22 and not host 172.16.39.39 and not host 172.16.88.88" };

[lines condensed for this message by removing extra pretty printing <cr>s]
[BroControl] > print capture_filters
      manager   capture_filters = { [all] = ip or not ip }
      proxy-1   capture_filters = { [all] = ip or not ip }
      proxy-2   capture_filters = { [all] = ip or not ip }
   worker-1-1   capture_filters = { [all] = ip or not ip }
   worker-1-2   capture_filters = { [all] = ip or not ip }
   worker-1-3   capture_filters = { [all] = ip or not ip }
   worker-1-4   capture_filters = { [all] = ip or not ip }
   worker-2-1   capture_filters = { [all] = ip or not ip }
   worker-2-2   capture_filters = { [all] = ip or not ip }
   worker-2-3   capture_filters = { [all] = ip or not ip }
   worker-2-4   capture_filters = { [all] = ip or not ip }

[lines condensed for this message by removing extra pretty printing <cr>s]
[BroControl] > print restrict_filters
      manager   restrict_filters = { [not-these-hosts] = not host 172.16.1.1 
and not host 172.16.22.22 and not host 172.16.39.39 and not host 172.16.88.88 }
      proxy-1   restrict_filters = { [not-these-hosts] = not host 172.16.1.1 
and not host 172.16.22.22 and not host 172.16.39.39 and not host 172.16.88.88 }
      proxy-2   restrict_filters = { [not-these-hosts] = not host 172.16.1.1 
and not host 172.16.22.22 and not host 172.16.39.39 and not host 172.16.88.88 }
   worker-1-1   restrict_filters = { [not-these-hosts] = not host 172.16.1.1 
and not host 172.16.22.22 and not host 172.16.39.39 and not host 172.16.88.88 }
   worker-1-2   restrict_filters = { [not-these-hosts] = not host 172.16.1.1 
and not host 172.16.22.22 and not host 172.16.39.39 and not host 172.16.88.88 }
   worker-1-3   restrict_filters = { [not-these-hosts] = not host 172.16.1.1 
and not host 172.16.22.22 and not host 172.16.39.39 and not host 172.16.88.88 }
   worker-1-4   restrict_filters = { [not-these-hosts] = not host 172.16.1.1 
and not host 172.16.22.22 and not host 172.16.39.39 and not host 172.16.88.88 }
   worker-2-1   restrict_filters = { [not-these-hosts] = not host 172.16.1.1 
and not host 172.16.22.22 and not host 172.16.39.39 and not host 172.16.88.88 }
   worker-2-2   restrict_filters = { [not-these-hosts] = not host 172.16.1.1 
and not host 172.16.22.22 and not host 172.16.39.39 and not host 172.16.88.88 }
   worker-2-3   restrict_filters = { [not-these-hosts] = not host 172.16.1.1 
and not host 172.16.22.22 and not host 172.16.39.39 and not host 172.16.88.88 }
   worker-2-4   restrict_filters = { [not-these-hosts] = not host 172.16.1.1 
and not host 172.16.22.22 and not host 172.16.39.39 and not host 172.16.88.88 }

[manager-host current]$ grep 172.16.88.88 conn.log | tail -3
1429461245.805348       CpuepS3Ds2GYzABCtb      xx.xx.xx.xx   xxxxx 
172.16.88.88   443    tcp     ssl     4192.655995     14660   16441   S1 
F      0ShADda  50      17268   49      19001   (empty)
1429464730.699197       CqVMY53iVvTFSWclAi      xx.xx.xx.xx    xxxxx 
172.16.88.88   443    tcp     ssl     1002.988461     5491    4481    SF 
F      0ShADdaFf        21      6591    17      5377    (empty)
1429464286.982078       CUl3Cl24bUWkgbhAGd      xx.xx.xx.xx   xxxxx 
172.16.88.88   443     tcp     ssl     1447.315821     7095    5595    SF 
  F      0ShADdafF        25      8403    21      6699    (empty)

More information about the Bro mailing list