[Bro] BPF Filter per log file or framework such as x509, SSL
Johanna Amann
johanna at icir.org
Fri Sep 18 10:15:57 PDT 2015
Just to repeat my answer from the bug tracker:
you can add bpf filters with the syntax described in
https://www.bro.org/sphinx/scripts/base/frameworks/packet-filter/main.bro.html
The thread at
http://comments.gmane.org/gmane.comp.security.detection.bro/4759 also has
a few examples. There is no easy way to tell Bro to just allow traffic
containing x509 certificates - you have to build the filter yourself, only
allowing the hosts and services that have traffic containing x509
certificates. If using broctl, typically you would add the filter commands
to local.bro or to a script that you load from local.bro – it is
discouraged to edit any scripts in base/ or policy/ yourself.
Do you need anything else, or does that perhaps fulfill your requirements?
Johanna
On Fri, Sep 18, 2015 at 04:28:53AM -0400, Ludwig Goon wrote:
> when activating the x509.log or bro script in local.bro, can I configure a
> BPF filter to only affect x509 framework? For example I only want to have
> events that the dst_host is our DMZ subnet. Can I configure that in the
> x509.bro file/framework or some other bro configuration file? If so is this
> a local variable called subnet or something?
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list