[Bro] broctl print capture_filters failing
Seth Hall
seth at corelight.com
Thu Apr 12 05:51:57 PDT 2018
Oh, Aashish forwarded this to me off list and I didn't realize it was
actually posted here. I'll give a version of the email I sent off list
to hopefully explain this situation in more detail for everyone else
too.
The fact that these filters have vlan tags makes this all super
complicated (as Jim pointed out, thanks!). Generally I recommend that
if people have vlan tags, they don't try to do filtering because it's
going to be seriously mind bending.
Unfortunately, at the moment I have a hard time make a suggestion for a
filter if you want to use capture_filters, as you've discovered that can
be complicated based on how filter fragments are combined. You may want
to use the full filter you wrote and use that as a 'cmd_line_bpf_filter'
variable. I wouldn't normally recommend using the 'cmd_line_bpf_filter'
variable because it closes some doors of functionality but there isn't a
good way to avoid it in this case.
redef cmd_line_bpf_filter = "(not (src net aaa.bbb.0.0/16 or src net
aaa.ccc.0.0/16 or src net ddd.jjj.0.0/16 or net eee.hhh.ggg.0/28)) or
(vlan and (not (src net aaa.bbb.0.0/16 or src net aaa.ccc.0.0/16 or src
net ddd.jjj.0.0/16 or net eee.hhh.ggg.0/28)))";
I did want to make one other comment about the filter. You almost
certainly don't want to use "src" or "dst" in your filters. Because
that filtering is done at the packet level, even if the filter works
correctly it means that you'll only see a single direction of traffic
which will also be bad for Bro. Most of Bros functionality expects to
see both directions of conversations and won't work as well if both
sides aren't there. So the line I would actually recommend running is
this...
redef cmd_line_bpf_filter = "(not (net aaa.bbb.0.0/16 or net
aaa.ccc.0.0/16 or net ddd.jjj.0.0/16 or net eee.hhh.ggg.0/28)) or (vlan
and (not (net aaa.bbb.0.0/16 or net aaa.ccc.0.0/16 or net ddd.jjj.0.0/16
or net eee.hhh.ggg.0/28)))";
VLAN tags and BPF filtering are never any fun.
.Seth
On 11 Apr 2018, at 18:20, Perry, David wrote:
> Thanks, Justin, this works well too.
>
> In both cases, when I re-run bro, the order of pieces printed is
> different. I don't know if this order is an artifact, or what, but I
> think the internal order is important -- non-vlan filters first and
> vlan filters after....
>
> The thing I am trying to troubleshoot is that if I concatenate on one
> line all of the pieces, the filter works as expected. If I do this:
>
>> redef capture_filters = { ["subnets"] = "(not (src net
>> aaa.bbb.0.0/16 or src net aaa.ccc.0.0/16 or src net ddd.jjj.0.0/16 or
>> net eee.hhh.ggg.0/28)) or (vlan and (not (src net aaa.bbb.0.0/16 or
>> src net aaa.ccc.0.0/16 or src net ddd.jjj.0.0/16 or net
>> eee.hhh.ggg.0/28)))" };
>
> it works as expected. However if I do this (much neater looking):
>
>> redef capture_filters = {
>> ["subnets"] = " (not (src net aaa.bbb.0.0/16 or src net
>> aaa.ccc.0.0/16 or src net ddd.jjj.0.0/16))",
>> ["iris-1"] = " (not (net eee.hhh.ggg.0/28))",
>> ["subnets_V"] = "(vlan and (not (src net aaa.bbb.0.0/16 or src net
>> aaa.ccc.0.0/16 or src net ddd.jjj.0.0/16)))",
>> ["iris-1_V"] = "(vlan and (not (net eee.hhh.ggg.0/28)))"
>> };
>
> I do not get the same behavior.
>
> David
>
>
>> On Apr 11, 2018, at 1:47 PM, Azoff, Justin S <jazoff at illinois.edu>
>> wrote:
>>
>>
>>> On Apr 11, 2018, at 4:36 PM, Aashish Sharma <asharma at lbl.gov> wrote:
>>>
>>> event bro_init()
>>> {
>>> local _msg = "" ;
>>>
>>> for (a in capture_filters)
>>> {
>>> _msg = fmt ("capture-filters: %s-> %s", a,
>>> capture_filters[a]);
>>> event reporter_info(network_time(), _msg,
>>> peer_description);
>>> }
>>> }
>>
>> You can just
>>
>> Reporter::info(fmt ("capture-filters: %s-> %s", a,
>> capture_filters[a]));
>>
>>
>>
>> —
>> Justin Azoff
>>
>>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
--
Seth Hall * Corelight, Inc * www.corelight.com
More information about the Bro
mailing list