[Bro] Bro restrict filters question

Johanna Amann johanna at icir.org
Thu Jun 22 12:20:57 PDT 2017


Can you check if "broctl "print PacketFilter::current_filter" looks
reasonable, and if the exact filter it returns works for you with tcpdump?

Johanna

On Tue, Jun 13, 2017 at 07:05:29PM +0000, Edgmand, Craig wrote:
> Oddly enough it works with tcpdump but not with Bro.  
> 
> -----Original Message-----
> From: Azoff, Justin S [mailto:jazoff at illinois.edu] 
> Sent: Tuesday, June 13, 2017 10:13 AM
> To: Edgmand, Craig <craig.edgmand at okstate.edu>
> Cc: bro at bro.org
> Subject: Re: [Bro] Bro restrict filters question
> 
> 
> > On Jun 13, 2017, at 10:59 AM, Edgmand, Craig <craig.edgmand at okstate.edu> wrote:
> > 
> > Hello,
> >  
> > I am running Bro 2.5 and I am trying to set up some restrict_filters to drop certain hosts and types of traffic.
> > I have the following entries in my local.bro..
> >  
> > redef PacketFilter::enable_auto_protocol_capture_filters = F; redef 
> > capture_filters = { ["packets-like-this"] = "ip or not ip" }; redef 
> > restrict_filters = { ["no-data-like-this"] = "not host 192.168.2.1" };
> >  
> > 
> > I had something similar in earlier versions of Bro that seemed to work but this doesn’t work at all. 
> >  
> > When I run ./broctl print restrict_filters  it shows that the workers have that filter.
> >  
> > Any ideas?
> 
> Is your traffic vlan tagged? You may need to use
> 
> redef restrict_filters = { ["no-data-like-this"] = "vlan and not host 192.168.2.1" };
> 
> --
> - Justin Azoff
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> 


More information about the Bro mailing list