[Bro] Bro restrict filters question
Edgmand, Craig
craig.edgmand at okstate.edu
Tue Jun 13 12:05:29 PDT 2017
Oddly enough it works with tcpdump but not with Bro.
-----Original Message-----
From: Azoff, Justin S [mailto:jazoff at illinois.edu]
Sent: Tuesday, June 13, 2017 10:13 AM
To: Edgmand, Craig <craig.edgmand at okstate.edu>
Cc: bro at bro.org
Subject: Re: [Bro] Bro restrict filters question
> On Jun 13, 2017, at 10:59 AM, Edgmand, Craig <craig.edgmand at okstate.edu> wrote:
>
> Hello,
>
> I am running Bro 2.5 and I am trying to set up some restrict_filters to drop certain hosts and types of traffic.
> I have the following entries in my local.bro..
>
> redef PacketFilter::enable_auto_protocol_capture_filters = F; redef
> capture_filters = { ["packets-like-this"] = "ip or not ip" }; redef
> restrict_filters = { ["no-data-like-this"] = "not host 192.168.2.1" };
>
>
> I had something similar in earlier versions of Bro that seemed to work but this doesn’t work at all.
>
> When I run ./broctl print restrict_filters it shows that the workers have that filter.
>
> Any ideas?
Is your traffic vlan tagged? You may need to use
redef restrict_filters = { ["no-data-like-this"] = "vlan and not host 192.168.2.1" };
--
- Justin Azoff
More information about the Bro
mailing list