[Bro] BPF Filter Help

Michał Purzyński michalpurzynski1 at gmail.com
Mon Feb 9 08:57:11 PST 2015 

Is there any reason why you cannot share this kind of information on
the list, so everyone can benefit?

Looks like man ethtool, right?

On Mon, Feb 9, 2015 at 5:49 PM, DJ Root <dj.root at netronome.com> wrote:
> Adam,
>
> What you describe here is a fairly straightforward match/action rule - in your case you want perform some action when you receive dst host 10.8.0.56 / dst port 53 / src host X / src port Y traffic - right?  This operation can be done on an intelligent NIC card without any interaction with Bro (or BPF for that matter).
>
> If you would like more information on how we could help solve this problem, please email me privately.
>
> Regards,
> DJ Root
>> On Feb 9, 2015, at 9:19 AM, Seth Hall <seth at icir.org> wrote:
>>
>>
>>> On Feb 8, 2015, at 7:53 PM, Adam Hall <abhall1 at yahoo.com> wrote:
>>>
>>> 1423442632.139980       bro     (ip or not ip) and (not (dst host 10.8.0.85 and dst port 53))   T       T
>>> The only way I have been able to successfully get this to work is by defining only "host" or "port", I have not been able to get this to be successful using a "src host", "dst host", "src port", or "dst port".
>>>
>>> This creates a problem to the point it's almost unusable to me as I cannot ignore all traffic for "host 10.8.0.85 and port 53".
>>
>> It’s unlikely that you are ever going to want to use the “src” or “dst” modifiers in filters meant for Bro.  Bro is intended to look at both directions of traffic to successfully analyze connections and you are intrinsically breaking that when you use src or dst.
>>
>> What is the end result you’re trying to get to?  You just don’t want to see dns traffic involving host 10.8.0.85?
>>
>> The problem here is that there is a disjoint in the semantics of BPF and the typical semantics of Bro.  Bro operates on connections (and flows to a slightly lesser degree currently).  BPF is completely oriented around packets.  It causes these little confusions unfortunately.
>>
>>  .Seth
>>
>> --
>> Seth Hall
>> International Computer Science Institute
>> (Bro) because everyone has a network
>> http://www.bro.org/
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list