[Bro] BPF Filter Help

Seth Hall seth at icir.org
Mon Feb 9 06:19:11 PST 2015


> On Feb 8, 2015, at 7:53 PM, Adam Hall <abhall1 at yahoo.com> wrote:
> 
> 1423442632.139980       bro     (ip or not ip) and (not (dst host 10.8.0.85 and dst port 53))   T       T
> The only way I have been able to successfully get this to work is by defining only "host" or "port", I have not been able to get this to be successful using a "src host", "dst host", "src port", or "dst port".
> 
> This creates a problem to the point it's almost unusable to me as I cannot ignore all traffic for "host 10.8.0.85 and port 53".

It’s unlikely that you are ever going to want to use the “src” or “dst” modifiers in filters meant for Bro.  Bro is intended to look at both directions of traffic to successfully analyze connections and you are intrinsically breaking that when you use src or dst.

What is the end result you’re trying to get to?  You just don’t want to see dns traffic involving host 10.8.0.85?

The problem here is that there is a disjoint in the semantics of BPF and the typical semantics of Bro.  Bro operates on connections (and flows to a slightly lesser degree currently).  BPF is completely oriented around packets.  It causes these little confusions unfortunately.

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/




More information about the Bro mailing list