[Bro] PacketFilter

James Lay jlay at slave-tothe-box.net
Sat Mar 18 10:21:22 PDT 2017


On 2017-03-18 11:07, Dave Crawford wrote:
> I'm attemtpting to impement a packet filter to drop multicast traffic
> but I’m not having success.
> 
> This is what I have in local.bro:
> 
> @load base/frameworks/packet-filter
> redef capture_filters += {
>     ["ip"] = "ip",
>     ["non-ip"] = "not ip"
> };
> 
> redef restrict_filters += { ["not-multicast"] = "net 224.0.0.0/4" };
> 
> Which according to the FAQ
> (https://www.bro.org/documentation/faq.html) should produce a BPF
> like:
> 
> ((ip) or (not ip)) and (not net 224.0.0.0/4)
> 
> But I'm still seeing multicast in the conn log:
> 
> 1489855468.534667   CM5Ehj4nefU23EOeyj  192.168.20.8    41340
> 239.254.127.63  60000   udp
> 
> It looks like the filters are being implemented:
> 
> [BroControl] > print capture_filters
>      ext-1   capture_filters = {
>     [non-ip] = not ip,
>     [ip] = ip
> }
> <snip>
> 
> [BroControl] > print restrict_filters
>      ext-1   restrict_filters = {
>     [not-multicast] = net 224.0.0.0/4
> }
> <snip>
> 
> Am I missing a step?
> 
> -Dave
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


You could always just add it to your broctl.conf like so:

broargs = --filter 'your bpf here'

James


More information about the Bro mailing list