[Bro] BPF Syntax/Runtime Problem

Jim Mellander jmellander at lbl.gov
Mon Dec 17 12:50:04 PST 2018 

Hi:

I ran your filter on a local bro instance with no problems, although based
on your description, shouldn't you have parentheses around the subnets in
the restrict_filters["unmonitored nets"] expression? , i.e.

restrict_filters["unmonitored nets"] = "not (net 10.230.128.0/23 or net
10.230.64.0/23 or net 10.230.48.0/23 or net 10.230.130.0/23 or net
10.230.40.0/24 or net 10.230.237.0/24 or net 10.237.128.0/24 or net
10.230.108.0/24 or net 10.230.37.0/24 or net 10.230.38.0/24 or net
10.230.168.0/24 or net 10.230.72.0/24 or net 10.230.199.0/24 or net
10.230.177.0/24 or net 10.230.178.0/24 or net 10.230.179.0/24 or net
10.230.189.0/24 or net 10.230.183.0/24 or net 10.230.151.0/24 or net
10.230.165.0/24 or net 10.230.197.0/24 or net 10.230.167.0/24 or net
10.230.181.0/24 or net 10.230.31.0/24 or net 10.230.26.0/24 or net
10.230.180.0/24 or net 10.230.157.0/24 or net 10.230.159.0/24 or net
10.230.60.0/24 or net 10.230.150.0/24 or net 10.230.184.0/24 or net
10.230.202.0/24 or net 10.230.16.0/24 or net 10.230.156.0/24 or net
10.237.171.0/24 or net 10.230.76.0/24 or net 10.230.222.0/24 or net
10.230.186.0/24 or net 10.230.24.0/24 or net 10.237.162.0/24 or net
10.230.22.0/24 or net 10.230.112.0/23 or net 10.230.120.0/24 or net
10.230.163.0/24 or net 10.230.17.0/24 or net 10.230.152.0/24 or host
224.0.0.252)";

You might also take the filter in packet_filter.log and use that as the
filter for a tcpdump and see if you are, in fact, capturing the traffic you
expect.

Hope this helps,

Jim


On Mon, Dec 17, 2018 at 6:37 AM Andy Millett <andy at unimatrixzero.co.uk>
wrote:

> Hi guys,
>
> We have a number of distributed Bro IDS sensors running on Raspberry Pi
> hardware at over 50 MPLS sites which are small or medium size links
> (anything up to 50Mbps). We have another 100 sites which don’t have sensors
> deployed (yet), so we’re trying to capture as much additional information
> for our ELK stack at the corporate HQ where most traffic goes. With this, I
> want to bypass logging of subnets which already have a remote sensor
> deployed to reduce duplication in ELK. I’ve been trying to use the BPF
> syntax, but don’t appear to be very successful.
>
> For starters, I’ve tried this -
>
> event bro_init() &priority=-12
>        {
>        restrict_filters["ignore proxy node"] = "not (host 10.230.91.2)";
> restrict_filters["unmonitored nets"] = "not net 10.230.128.0/23 or net
> 10.230.64.0/23 or net 10.230.48.0/23 or net 10.230.130.0/23 or net
> 10.230.40.0/24 or net 10.230.237.0/24 or net 10.237.128.0/24 or net
> 10.230.108.0/24 or net 10.230.37.0/24 or net 10.230.38.0/24 or net
> 10.230.168.0/24 or net 10.230.72.0/24 or net 10.230.199.0/24 or net
> 10.230.177.0/24 or net 10.230.178.0/24 or net 10.230.179.0/24 or net
> 10.230.189.0/24 or net 10.230.183.0/24 or net 10.230.151.0/24 or net
> 10.230.165.0/24 or net 10.230.197.0/24 or net 10.230.167.0/24 or net
> 10.230.181.0/24 or net 10.230.31.0/24 or net 10.230.26.0/24 or net
> 10.230.180.0/24 or net 10.230.157.0/24 or net 10.230.159.0/24 or net
> 10.230.60.0/24 or net 10.230.150.0/24 or net 10.230.184.0/24 or net
> 10.230.202.0/24 or net 10.230.16.0/24 or net 10.230.156.0/24 or net
> 10.237.171.0/24 or net 10.230.76.0/24 or net 10.230.222.0/24 or net
> 10.230.186.0/24 or net 10.230.24.0/24 or net 10.237.162.0/24 or net
> 10.230.22.0/24 or net 10.230.112.0/23 or net 10.230.120.0/24 or net
> 10.230.163.0/24 or net 10.230.17.0/24 or net 10.230.152.0/24 or host
> 224.0.0.252";
>        PacketFilter::install();
>        }
>
> With such a sizeable filter, bro does checkout OK (broctl check), and it
> starts, but the spool directory never receives any traffic files. All we
> get is -
>
> root at bro00:/var/spool/bro/bro# ls
> communication.log  stderr.log  stdout.log
>
> The stderr.log ends with -
>
> Warning: Kernel filter failed: Cannot allocate memory
> received termination signal
> 0 packets received on interface not open, 0 dropped
>
> If I reduce the filters to just a couple of subnets (no more than 6), it
> works just fine.
>
> Any ideas greatly appreciated.
>
> Andy
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181217/92e39dd1/attachment.html

More information about the Bro mailing list