[Bro] Bro Digest, Vol 106, Issue 14

abhall1 abhall1 at yahoo.com
Tue Feb 10 13:11:48 PST 2015


To Seth Hall,

     Thank you for the response.  I still wish I could filter traffic that way, but I do see the logic in your reasoning.  We decided ultimately to stick with the filter for that host and port 53.

Thank you for your time and help!

Adam hall


Sent via the Samsung Galaxy Note® 4, an AT&T 4G LTE smartphone


-------- Original message --------
From: bro-request at bro.org 
Date: 02/09/2015  3:00 PM  (GMT-05:00) 
To: bro at bro.org 
Subject: Bro Digest, Vol 106, Issue 14 

Send Bro mailing list submissions to
bro at bro.org

To subscribe or unsubscribe via the World Wide Web, visit
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
or, via email, send a message with subject or body 'help' to
bro-request at bro.org

You can reach the person managing the list at
bro-owner at bro.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Bro digest..."


Today's Topics:

   1. Re: BPF Filter Help (Micha? Purzy?ski)
   2. Re: BPF Filter Help (DJ Root)


----------------------------------------------------------------------

Message: 1
Date: Mon, 9 Feb 2015 19:28:25 +0100
From: Micha? Purzy?ski <michalpurzynski1 at gmail.com>
Subject: Re: [Bro] BPF Filter Help
To: DJ Root <dj.root at netronome.com>
Cc: Adam Hall <abhall1 at yahoo.com>, "Bro at bro.org" <Bro at bro.org>
Message-ID:
<CAJ6bFK2hrfEz7rXyeMca9AP028c5Mdh9+S_OjVawefTLegq4Bg at mail.gmail.com>
Content-Type: text/plain; charset=UTF-8

Do you use X520 chip by accident?

On Mon, Feb 9, 2015 at 7:20 PM, DJ Root <dj.root at netronome.com> wrote:
> Michal,
>
> No, there is not.  However, I come from the vendor side and, therefore, don?t want to disrupt the integrity of a technology mailing list.  That said we have Bro running in our lab, so our claims can be supported by real data and demos.
>
> As far as the question below is concerned, we (Netronome) have intelligent NICs and software to do match / action operations in hardware.  We can set-up 5-tuple filtering in hardware which can address Adam?s problem.  Result - BPF is off-loaded from the CPU; Bro is not changed, but now has more CPU cycles to process flows.
>
> Regards,
> DJ Root
>
> DJ Root
> Director of Sales, Americas East and EMEA
> Netronome, Inc.
> (617)686-0253
>
>
>
>
>> On Feb 9, 2015, at 11:57 AM, Micha? Purzy?ski <michalpurzynski1 at gmail.com> wrote:
>>
>> Is there any reason why you cannot share this kind of information on
>> the list, so everyone can benefit?
>>
>> Looks like man ethtool, right?
>>
>> On Mon, Feb 9, 2015 at 5:49 PM, DJ Root <dj.root at netronome.com> wrote:
>>> Adam,
>>>
>>> What you describe here is a fairly straightforward match/action rule - in your case you want perform some action when you receive dst host 10.8.0.56 / dst port 53 / src host X / src port Y traffic - right?  This operation can be done on an intelligent NIC card without any interaction with Bro (or BPF for that matter).
>>>
>>> If you would like more information on how we could help solve this problem, please email me privately.
>>>
>>> Regards,
>>> DJ Root
>>>> On Feb 9, 2015, at 9:19 AM, Seth Hall <seth at icir.org> wrote:
>>>>
>>>>
>>>>> On Feb 8, 2015, at 7:53 PM, Adam Hall <abhall1 at yahoo.com> wrote:
>>>>>
>>>>> 1423442632.139980       bro     (ip or not ip) and (not (dst host 10.8.0.85 and dst port 53))   T       T
>>>>> The only way I have been able to successfully get this to work is by defining only "host" or "port", I have not been able to get this to be successful using a "src host", "dst host", "src port", or "dst port".
>>>>>
>>>>> This creates a problem to the point it's almost unusable to me as I cannot ignore all traffic for "host 10.8.0.85 and port 53".
>>>>
>>>> It?s unlikely that you are ever going to want to use the ?src? or ?dst? modifiers in filters meant for Bro.  Bro is intended to look at both directions of traffic to successfully analyze connections and you are intrinsically breaking that when you use src or dst.
>>>>
>>>> What is the end result you?re trying to get to?  You just don?t want to see dns traffic involving host 10.8.0.85?
>>>>
>>>> The problem here is that there is a disjoint in the semantics of BPF and the typical semantics of Bro.  Bro operates on connections (and flows to a slightly lesser degree currently).  BPF is completely oriented around packets.  It causes these little confusions unfortunately.
>>>>
>>>> .Seth
>>>>
>>>> --
>>>> Seth Hall
>>>> International Computer Science Institute
>>>> (Bro) because everyone has a network
>>>> http://www.bro.org/
>>>>
>>>>
>>>> _______________________________________________
>>>> Bro mailing list
>>>> bro at bro-ids.org
>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>
>>>
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>



------------------------------

Message: 2
Date: Mon, 9 Feb 2015 13:30:58 -0500
From: DJ Root <dj.root at netronome.com>
Subject: Re: [Bro] BPF Filter Help
To: Micha? Purzy?ski <michalpurzynski1 at gmail.com>
Cc: Adam Hall <abhall1 at yahoo.com>, "Bro at bro.org" <Bro at bro.org>
Message-ID: <9DF4A6E9-A88B-4EAC-B7B6-7117D20565F2 at netronome.com>
Content-Type: text/plain; charset=utf-8

No.  We design and develop our own ASIC (Flow Processor).  It is the NFP32xx and NFP6xxx.  We use Intel as our foundry.

Regards,
DJ
> On Feb 9, 2015, at 1:28 PM, Micha? Purzy?ski <michalpurzynski1 at gmail.com> wrote:
> 
> Do you use X520 chip by accident?
> 
> On Mon, Feb 9, 2015 at 7:20 PM, DJ Root <dj.root at netronome.com> wrote:
>> Michal,
>> 
>> No, there is not.  However, I come from the vendor side and, therefore, don?t want to disrupt the integrity of a technology mailing list.  That said we have Bro running in our lab, so our claims can be supported by real data and demos.
>> 
>> As far as the question below is concerned, we (Netronome) have intelligent NICs and software to do match / action operations in hardware.  We can set-up 5-tuple filtering in hardware which can address Adam?s problem.  Result - BPF is off-loaded from the CPU; Bro is not changed, but now has more CPU cycles to process flows.
>> 
>> Regards,
>> DJ Root
>> 
>> DJ Root
>> Director of Sales, Americas East and EMEA
>> Netronome, Inc.
>> (617)686-0253
>> 
>> 
>> 
>> 
>>> On Feb 9, 2015, at 11:57 AM, Micha? Purzy?ski <michalpurzynski1 at gmail.com> wrote:
>>> 
>>> Is there any reason why you cannot share this kind of information on
>>> the list, so everyone can benefit?
>>> 
>>> Looks like man ethtool, right?
>>> 
>>> On Mon, Feb 9, 2015 at 5:49 PM, DJ Root <dj.root at netronome.com> wrote:
>>>> Adam,
>>>> 
>>>> What you describe here is a fairly straightforward match/action rule - in your case you want perform some action when you receive dst host 10.8.0.56 / dst port 53 / src host X / src port Y traffic - right?  This operation can be done on an intelligent NIC card without any interaction with Bro (or BPF for that matter).
>>>> 
>>>> If you would like more information on how we could help solve this problem, please email me privately.
>>>> 
>>>> Regards,
>>>> DJ Root
>>>>> On Feb 9, 2015, at 9:19 AM, Seth Hall <seth at icir.org> wrote:
>>>>> 
>>>>> 
>>>>>> On Feb 8, 2015, at 7:53 PM, Adam Hall <abhall1 at yahoo.com> wrote:
>>>>>> 
>>>>>> 1423442632.139980       bro     (ip or not ip) and (not (dst host 10.8.0.85 and dst port 53))   T       T
>>>>>> The only way I have been able to successfully get this to work is by defining only "host" or "port", I have not been able to get this to be successful using a "src host", "dst host", "src port", or "dst port".
>>>>>> 
>>>>>> This creates a problem to the point it's almost unusable to me as I cannot ignore all traffic for "host 10.8.0.85 and port 53".
>>>>> 
>>>>> It?s unlikely that you are ever going to want to use the ?src? or ?dst? modifiers in filters meant for Bro.  Bro is intended to look at both directions of traffic to successfully analyze connections and you are intrinsically breaking that when you use src or dst.
>>>>> 
>>>>> What is the end result you?re trying to get to?  You just don?t want to see dns traffic involving host 10.8.0.85?
>>>>> 
>>>>> The problem here is that there is a disjoint in the semantics of BPF and the typical semantics of Bro.  Bro operates on connections (and flows to a slightly lesser degree currently).  BPF is completely oriented around packets.  It causes these little confusions unfortunately.
>>>>> 
>>>>> .Seth
>>>>> 
>>>>> --
>>>>> Seth Hall
>>>>> International Computer Science Institute
>>>>> (Bro) because everyone has a network
>>>>> http://www.bro.org/
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> Bro mailing list
>>>>> bro at bro-ids.org
>>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>> 
>>>> 
>>>> _______________________________________________
>>>> Bro mailing list
>>>> bro at bro-ids.org
>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>> 




------------------------------

_______________________________________________
Bro mailing list
Bro at bro.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


End of Bro Digest, Vol 106, Issue 14
************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150210/33514fa3/attachment-0001.html 


More information about the Bro mailing list