[Bro] restrict_filters not preventing logging of selected IP addresses
Richard Johnson
rdump at river.com
Tue Sep 15 15:07:29 PDT 2015
On 2015-04-19 12:25, Richard Johnson wrote:
> I think I'm specifying restrict_filters correctly to stop some hosts from
> being logged, but it's not working as I intend/expect.
...
> Yet when the restrict_filter is OK and is seemingly recognized, the IP
> addresses in the restrict_filters still appear in log entries.
...
> [manager-host ~]$ grep capture_filters /raid/bro/share/bro/site/local.bro
> redef capture_filters = { ["all"] = "ip or not ip" };
> [manager-host ~]$ grep restrict_filters /raid/bro/share/bro/site/local.bro
> redef restrict_filters += { ["not-these-hosts"] = "not host 172.16.1.1 and not
> host 172.16.22.22 and not host 172.16.39.39 and not host 172.16.88.88" };
...
> [manager-host current]$ grep 172.16.88.88 conn.log | tail -3
> 1429461245.805348 CpuepS3Ds2GYzABCtb xx.xx.xx.xx xxxxx
> 172.16.88.88 443 tcp ssl 4192.655995 14660 16441 S1
> F 0ShADda 50 17268 49 19001 (empty)
> 1429464730.699197 CqVMY53iVvTFSWclAi xx.xx.xx.xx xxxxx
> 172.16.88.88 443 tcp ssl 1002.988461 5491 4481 SF
> F 0ShADdaFf 21 6591 17 5377 (empty)
> 1429464286.982078 CUl3Cl24bUWkgbhAGd xx.xx.xx.xx xxxxx
> 172.16.88.88 443 tcp ssl 1447.315821 7095 5595 SF
> F 0ShADdafF 25 8403 21 6699 (empty)
For the record, this is solved, thanks to the distributed kibitzing of Adam
Slagell, Vern Paxson, Seth Hall, and others in the hallway track at BroCon
2015. "Check for VLAN tags." "Try 'vlan ####' in capture_filters."
Our upstream feed had been switched to a trunk, and began carrying other VLANs
in addition to the main tap feed we were expecting. When that happened, Bro
quietly stepped past the VLAN tags in policy processing.
As a result, there was no Bro monitoring outage. We just had some duplicate
and unintentionally monitored connections which we didn't spot due to low
volume. Thus the change slipped past us.
However, the pcap filter specification in restrict_filters would no longer
match due to the VLAN tags. Specifying the VLAN(s) to watch in
capture_filters clears the match for the IP addresses in restrict_filters.
Our fix, in local.bro (where 321 is the VLAN number of the tap feed):
-------
redef capture_filters = { ["all"] = "vlan 321 and (ip or not ip)" }
redef restrict_filters += { ["not-these-hosts"] = "not host 172.16.1.1 and not
host 172.16.22.22 and not host 172.16.39.39 and not host 172.16.88.88" };
-------
Richard
More information about the Bro
mailing list