[Bro] BPF Filter Help
Adam Hall
abhall1 at yahoo.com
Sun Feb 8 16:53:11 PST 2015
Good Evening Bro Team,
I have ran into an issue with using the BPF packet filter. I have had the same issue using Bro2.2, 2.3.1, and 2.3.411 on both Ubuntu 14.04 and Gentoo 3.0.2. The way I am calling the packet filter is through the local.bro file using this command:
# Packet Filter optionsevent bro_init() { PacketFilter::exclude("ignore_this_conn","host 10.8.0.85 and port 53"); }
and you can see it accepted the filter using "broctl diag":
1423442280.253256 bro (ip or not ip) and (not (host 10.8.0.85 and port 53)) T T If you used an incorrect bpf filter like "source.host 10.8.0.85" the "broctl diag" would give you nothing:
1423442280.253847 bro (ip or not ip) T T
What I am currently trying to do is exclude dns traffic with a destination of this host and port 53:
(dst host 10.8.0.85 and dst port 53)
When I add this in the exclude statement the bpf is accepted
1423442632.139980 bro (ip or not ip) and (not (dst host 10.8.0.85 and dst port 53)) T T
However, the traffic is still being allowed and not excluded
1423442692.141824 C7pSulFJiU150KhFk 10.8.1.43 46088 10.8.0.85 53 udp 33647 - - - - -
The only way I have been able to successfully get this to work is by defining only "host" or "port", I have not been able to get this to be successful using a "src host", "dst host", "src port", or "dst port".
This creates a problem to the point it's almost unusable to me as I cannot ignore all traffic for "host 10.8.0.85 and port 53".
Any help with this would be greatly appreciated!
Thank You,
Adam B. Hall | CCNA
Senior Security Analyst
Office: 1-800-538-9357 x 122
Mobile: 1-904-303-3198
Quadrant Information Security
4651 Salisbury Road, Suite 185 | Jacksonville, FL 32256
See our Quadrant Video
https://quadrantsec.com/SaganMSSP/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150209/89fd39b1/attachment.html
More information about the Bro
mailing list