[Bro] PacketFilter
James Lay
jlay at slave-tothe-box.net
Sat Mar 18 10:21:22 PDT 2017
On 2017-03-18 11:07, Dave Crawford wrote:
> I'm attemtpting to impement a packet filter to drop multicast traffic
> but I’m not having success.
>
> This is what I have in local.bro:
>
> @load base/frameworks/packet-filter
> redef capture_filters += {
> ["ip"] = "ip",
> ["non-ip"] = "not ip"
> };
>
> redef restrict_filters += { ["not-multicast"] = "net 224.0.0.0/4" };
>
> Which according to the FAQ
> (https://www.bro.org/documentation/faq.html) should produce a BPF
> like:
>
> ((ip) or (not ip)) and (not net 224.0.0.0/4)
>
> But I'm still seeing multicast in the conn log:
>
> 1489855468.534667 CM5Ehj4nefU23EOeyj 192.168.20.8 41340
> 239.254.127.63 60000 udp
>
> It looks like the filters are being implemented:
>
> [BroControl] > print capture_filters
> ext-1 capture_filters = {
> [non-ip] = not ip,
> [ip] = ip
> }
> <snip>
>
> [BroControl] > print restrict_filters
> ext-1 restrict_filters = {
> [not-multicast] = net 224.0.0.0/4
> }
> <snip>
>
> Am I missing a step?
>
> -Dave
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
You could always just add it to your broctl.conf like so:
broargs = --filter 'your bpf here'
James
More information about the Bro
mailing list