[Bro] broctl print capture_filters failing

Perry, David perry29 at llnl.gov
Thu Apr 12 08:21:20 PDT 2018


Jim,

Thanks very much.

That is a helpful article.  I had known about the VLAN pitfalls from bitter experience and think I navigated around them in the way I intended in the original 'long' version of the filter.  I think the opening line summarizes pretty well "vlan is weird."

I am pretty convinced now that the fragments are being applied in some non-deterministic order, which makes them useless for my application, unfortunately.

David



On Apr 11, 2018, at 3:46 PM, Jim Mellander <jmellander at lbl.gov<mailto:jmellander at lbl.gov>> wrote:

Use of vlan in bpf filters can be problematic.  See: https://stackoverflow.com/questions/31136182/libpcap-filter-strings-using-vlan-are-behaving-weirdly

I don't think the "much neater looking" bpf fragments are necessarily being applied in the same order that you specify them as the order of traversal through a table is not specified.

Hope this helps.



On Wed, Apr 11, 2018 at 3:20 PM, Perry, David <perry29 at llnl.gov<mailto:perry29 at llnl.gov>> wrote:
Thanks, Justin, this works well too.

In both cases, when I re-run bro, the order of pieces printed is different.  I don't know if this order is an artifact, or what, but I think the internal order is important -- non-vlan filters first and vlan filters after....

The thing I am trying to troubleshoot is that if I concatenate on one line all of the pieces, the filter works as expected.  If I do this:

> redef capture_filters     = { ["subnets"] = "(not (src net aaa.bbb.0.0/16 or src net aaa.ccc.0.0/16 or src net ddd.jjj.0.0/16 or net eee.hhh.ggg.0/28)) or (vlan and (not (src net aaa.bbb.0.0/16 or src net aaa.ccc.0.0/16 or src net ddd.jjj.0.0/16 or net eee.hhh.ggg.0/28)))" };

it works as expected.  However if I do this (much neater looking):

> redef capture_filters     = {
> ["subnets"]   = "          (not (src net aaa.bbb.0.0/16 or src net aaa.ccc.0.0/16 or src net ddd.jjj.0.0/16))",
> ["iris-1"]    = "          (not (net eee.hhh.ggg.0/28))",
> ["subnets_V"] = "(vlan and (not (src net aaa.bbb.0.0/16 or src net aaa.ccc.0.0/16 or src net ddd.jjj.0.0/16)))",
> ["iris-1_V"]  = "(vlan and (not (net eee.hhh.ggg.0/28)))"
> };

I do not get the same behavior.

David


> On Apr 11, 2018, at 1:47 PM, Azoff, Justin S <jazoff at illinois.edu<mailto:jazoff at illinois.edu>> wrote:
>
>
>> On Apr 11, 2018, at 4:36 PM, Aashish Sharma <asharma at lbl.gov<mailto:asharma at lbl.gov>> wrote:
>>
>> event bro_init()
>> {
>>   local _msg = "" ;
>>
>>       for (a in capture_filters)
>>       {
>>              _msg = fmt ("capture-filters: %s-> %s", a, capture_filters[a]);
>>               event reporter_info(network_time(), _msg, peer_description);
>>       }
>> }
>
> You can just
>
>    Reporter::info(fmt ("capture-filters: %s-> %s", a, capture_filters[a]));
>
>
>
>> Justin Azoff
>
>


_______________________________________________
Bro mailing list
bro at bro-ids.org<mailto:bro at bro-ids.org>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro<http://mailman.icsi.berkeley.edu/mailman/listinfo/bro>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180412/5ede0819/attachment-0001.html 


More information about the Bro mailing list