[Bro] broctl print capture_filters failing
Perry, David
perry29 at llnl.gov
Thu Apr 12 08:21:20 PDT 2018
Jim,
Thanks very much.
That is a helpful article. I had known about the VLAN pitfalls from bitter experience and think I navigated around them in the way I intended in the original 'long' version of the filter. I think the opening line summarizes pretty well "vlan is weird."
I am pretty convinced now that the fragments are being applied in some non-deterministic order, which makes them useless for my application, unfortunately.
David
On Apr 11, 2018, at 3:46 PM, Jim Mellander <jmellander at lbl.gov<mailto:jmellander at lbl.gov>> wrote:
Use of vlan in bpf filters can be problematic. See: https://stackoverflow.com/questions/31136182/libpcap-filter-strings-using-vlan-are-behaving-weirdly
I don't think the "much neater looking" bpf fragments are necessarily being applied in the same order that you specify them as the order of traversal through a table is not specified.
Hope this helps.
On Wed, Apr 11, 2018 at 3:20 PM, Perry, David <perry29 at llnl.gov<mailto:perry29 at llnl.gov>> wrote:
Thanks, Justin, this works well too.
In both cases, when I re-run bro, the order of pieces printed is different. I don't know if this order is an artifact, or what, but I think the internal order is important -- non-vlan filters first and vlan filters after....
The thing I am trying to troubleshoot is that if I concatenate on one line all of the pieces, the filter works as expected. If I do this:
> redef capture_filters = { ["subnets"] = "(not (src net aaa.bbb.0.0/16 or src net aaa.ccc.0.0/16 or src net ddd.jjj.0.0/16 or net eee.hhh.ggg.0/28)) or (vlan and (not (src net aaa.bbb.0.0/16 or src net aaa.ccc.0.0/16 or src net ddd.jjj.0.0/16 or net eee.hhh.ggg.0/28)))" };
it works as expected. However if I do this (much neater looking):
> redef capture_filters = {
> ["subnets"] = " (not (src net aaa.bbb.0.0/16 or src net aaa.ccc.0.0/16 or src net ddd.jjj.0.0/16))",
> ["iris-1"] = " (not (net eee.hhh.ggg.0/28))",
> ["subnets_V"] = "(vlan and (not (src net aaa.bbb.0.0/16 or src net aaa.ccc.0.0/16 or src net ddd.jjj.0.0/16)))",
> ["iris-1_V"] = "(vlan and (not (net eee.hhh.ggg.0/28)))"
> };
I do not get the same behavior.
David
> On Apr 11, 2018, at 1:47 PM, Azoff, Justin S <jazoff at illinois.edu<mailto:jazoff at illinois.edu>> wrote:
>
>
>> On Apr 11, 2018, at 4:36 PM, Aashish Sharma <asharma at lbl.gov<mailto:asharma at lbl.gov>> wrote:
>>
>> event bro_init()
>> {
>> local _msg = "" ;
>>
>> for (a in capture_filters)
>> {
>> _msg = fmt ("capture-filters: %s-> %s", a, capture_filters[a]);
>> event reporter_info(network_time(), _msg, peer_description);
>> }
>> }
>
> You can just
>
> Reporter::info(fmt ("capture-filters: %s-> %s", a, capture_filters[a]));
>
>
>
> —
> Justin Azoff
>
>
_______________________________________________
Bro mailing list
bro at bro-ids.org<mailto:bro at bro-ids.org>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro<http://mailman.icsi.berkeley.edu/mailman/listinfo/bro>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180412/5ede0819/attachment-0001.html
More information about the Bro
mailing list