[Bro] BPF Syntax/Runtime Problem

Andy Millett andy at unimatrixzero.co.uk
Mon Dec 17 14:20:16 PST 2018 

Hi Jim, 

Thanks a lot for the response. 

I removed the parentheses as suggested, and restarted the host itself. I do get a couple of files after the boot, one is the notice file - 

0.000000	-	-	-	-	-	-	-	-	-	PacketFilter::Install_Failure	Installing packet filter failed	(ip or not ip) and ((not (host 10.230.91.2) or (host 10.230.100.131)) and (not net 10.230.128.0/23 or net 10.230.64.0/23 or net 10.230.48.0/23 or net 10.230.130.0/23 or net 10.230.40.0/24 or net 10.230.237.0/24 or net 10.237.128.0/24 or net 10.230.108.0/24 or net 10.230.37.0/24 or net 10.230.38.0/24 or net 10.230.168.0/24 or net 10.230.72.0/24 or net 10.230.199.0/24 or net 10.230.177.0/24 or net 10.230.178.0/24 or net 10.230.179.0/24 or net 10.230.189.0/24 or net 10.230.183.0/24 or net 10.230.151.0/24 or net 10.230.165.0/24 or net 10.230.197.0/24 or net 10.230.167.0/24 or net 10.230.181.0/24 or net 10.230.31.0/24 or net 10.230.26.0/24 or net 10.230.180.0/24 or net 10.230.157.0/24 or net 10.230.159.0/24 or net 10.230.60.0/24 or net 10.230.150.0/24 or net 10.230.184.0/24 or net 10.230.202.0/24 or net 10.230.16.0/24 or net 10.230.156.0/24 or net 10.237.171.0/24 or net 10.230.76.0/24 or net 10.230.222.0/24 or net 10.230.186.0/24 or net 10.230.24.0/24 or net 10.237.162.0/24 or net 10.230.22.0/24 or net 10.230.112.0/23 or net 10.230.120.0/24 or net 10.230.163.0/24 or net 10.230.17.0/24 or net 10.230.152.0/24 or host 224.0.0.252))	-	-	-	-	bro	Notice::ACTION_LO3600.000000	F	-	-	-	-	-

If I try to run the filter in tcpdump, I get 

Warning: Kernel filter failed: Cannot allocate memory
tcpdump: can't remove kernel filter: No such file or directory

The stderr.log file logs the same -

Warning: Kernel filter failed: Cannot allocate memory

The server is a VM with 16GB memory. Nothing else running on it but Bro (based OS is Kali 2018). 

Best regards
Andy



> On 17 Dec 2018, at 20:50, Jim Mellander <jmellander at lbl.gov> wrote:
> 
> Hi:
> 
> I ran your filter on a local bro instance with no problems, although based on your description, shouldn't you have parentheses around the subnets in the restrict_filters["unmonitored nets"] expression? , i.e.
> 
> restrict_filters["unmonitored nets"] = "not (net 10.230.128.0/23 <http://10.230.128.0/23> or net 10.230.64.0/23 <http://10.230.64.0/23> or net 10.230.48.0/23 <http://10.230.48.0/23> or net 10.230.130.0/23 <http://10.230.130.0/23> or net 10.230.40.0/24 <http://10.230.40.0/24> or net 10.230.237.0/24 <http://10.230.237.0/24> or net 10.237.128.0/24 <http://10.237.128.0/24> or net 10.230.108.0/24 <http://10.230.108.0/24> or net 10.230.37.0/24 <http://10.230.37.0/24> or net 10.230.38.0/24 <http://10.230.38.0/24> or net 10.230.168.0/24 <http://10.230.168.0/24> or net 10.230.72.0/24 <http://10.230.72.0/24> or net 10.230.199.0/24 <http://10.230.199.0/24> or net 10.230.177.0/24 <http://10.230.177.0/24> or net 10.230.178.0/24 <http://10.230.178.0/24> or net 10.230.179.0/24 <http://10.230.179.0/24> or net 10.230.189.0/24 <http://10.230.189.0/24> or net 10.230.183.0/24 <http://10.230.183.0/24> or net 10.230.151.0/24 <http://10.230.151.0/24> or net 10.230.165.0/24 <http://10.230.165.0/24> or net 10.230.197.0/24 <http://10.230.197.0/24> or net 10.230.167.0/24 <http://10.230.167.0/24> or net 10.230.181.0/24 <http://10.230.181.0/24> or net 10.230.31.0/24 <http://10.230.31.0/24> or net 10.230.26.0/24 <http://10.230.26.0/24> or net 10.230.180.0/24 <http://10.230.180.0/24> or net 10.230.157.0/24 <http://10.230.157.0/24> or net 10.230.159.0/24 <http://10.230.159.0/24> or net 10.230.60.0/24 <http://10.230.60.0/24> or net 10.230.150.0/24 <http://10.230.150.0/24> or net 10.230.184.0/24 <http://10.230.184.0/24> or net 10.230.202.0/24 <http://10.230.202.0/24> or net 10.230.16.0/24 <http://10.230.16.0/24> or net 10.230.156.0/24 <http://10.230.156.0/24> or net 10.237.171.0/24 <http://10.237.171.0/24> or net 10.230.76.0/24 <http://10.230.76.0/24> or net 10.230.222.0/24 <http://10.230.222.0/24> or net 10.230.186.0/24 <http://10.230.186.0/24> or net 10.230.24.0/24 <http://10.230.24.0/24> or net 10.237.162.0/24 <http://10.237.162.0/24> or net 10.230.22.0/24 <http://10.230.22.0/24> or net 10.230.112.0/23 <http://10.230.112.0/23> or net 10.230.120.0/24 <http://10.230.120.0/24> or net 10.230.163.0/24 <http://10.230.163.0/24> or net 10.230.17.0/24 <http://10.230.17.0/24> or net 10.230.152.0/24 <http://10.230.152.0/24> or host 224.0.0.252)";
> 
> You might also take the filter in packet_filter.log and use that as the filter for a tcpdump and see if you are, in fact, capturing the traffic you expect.
> 
> Hope this helps,
> 
> Jim
> 
> 
> On Mon, Dec 17, 2018 at 6:37 AM Andy Millett <andy at unimatrixzero.co.uk <mailto:andy at unimatrixzero.co.uk>> wrote:
> Hi guys, 
> 
> We have a number of distributed Bro IDS sensors running on Raspberry Pi hardware at over 50 MPLS sites which are small or medium size links (anything up to 50Mbps). We have another 100 sites which don’t have sensors deployed (yet), so we’re trying to capture as much additional information for our ELK stack at the corporate HQ where most traffic goes. With this, I want to bypass logging of subnets which already have a remote sensor deployed to reduce duplication in ELK. I’ve been trying to use the BPF syntax, but don’t appear to be very successful. 
> 
> For starters, I’ve tried this - 
> 
> event bro_init() &priority=-12
>        {
>        restrict_filters["ignore proxy node"] = "not (host 10.230.91.2)";
> 	restrict_filters["unmonitored nets"] = "not net 10.230.128.0/23 <http://10.230.128.0/23> or net 10.230.64.0/23 <http://10.230.64.0/23> or net 10.230.48.0/23 <http://10.230.48.0/23> or net 10.230.130.0/23 <http://10.230.130.0/23> or net 10.230.40.0/24 <http://10.230.40.0/24> or net 10.230.237.0/24 <http://10.230.237.0/24> or net 10.237.128.0/24 <http://10.237.128.0/24> or net 10.230.108.0/24 <http://10.230.108.0/24> or net 10.230.37.0/24 <http://10.230.37.0/24> or net 10.230.38.0/24 <http://10.230.38.0/24> or net 10.230.168.0/24 <http://10.230.168.0/24> or net 10.230.72.0/24 <http://10.230.72.0/24> or net 10.230.199.0/24 <http://10.230.199.0/24> or net 10.230.177.0/24 <http://10.230.177.0/24> or net 10.230.178.0/24 <http://10.230.178.0/24> or net 10.230.179.0/24 <http://10.230.179.0/24> or net 10.230.189.0/24 <http://10.230.189.0/24> or net 10.230.183.0/24 <http://10.230.183.0/24> or net 10.230.151.0/24 <http://10.230.151.0/24> or net 10.230.165.0/24 <http://10.230.165.0/24> or net 10.230.197.0/24 <http://10.230.197.0/24> or net 10.230.167.0/24 <http://10.230.167.0/24> or net 10.230.181.0/24 <http://10.230.181.0/24> or net 10.230.31.0/24 <http://10.230.31.0/24> or net 10.230.26.0/24 <http://10.230.26.0/24> or net 10.230.180.0/24 <http://10.230.180.0/24> or net 10.230.157.0/24 <http://10.230.157.0/24> or net 10.230.159.0/24 <http://10.230.159.0/24> or net 10.230.60.0/24 <http://10.230.60.0/24> or net 10.230.150.0/24 <http://10.230.150.0/24> or net 10.230.184.0/24 <http://10.230.184.0/24> or net 10.230.202.0/24 <http://10.230.202.0/24> or net 10.230.16.0/24 <http://10.230.16.0/24> or net 10.230.156.0/24 <http://10.230.156.0/24> or net 10.237.171.0/24 <http://10.237.171.0/24> or net 10.230.76.0/24 <http://10.230.76.0/24> or net 10.230.222.0/24 <http://10.230.222.0/24> or net 10.230.186.0/24 <http://10.230.186.0/24> or net 10.230.24.0/24 <http://10.230.24.0/24> or net 10.237.162.0/24 <http://10.237.162.0/24> or net 10.230.22.0/24 <http://10.230.22.0/24> or net 10.230.112.0/23 <http://10.230.112.0/23> or net 10.230.120.0/24 <http://10.230.120.0/24> or net 10.230.163.0/24 <http://10.230.163.0/24> or net 10.230.17.0/24 <http://10.230.17.0/24> or net 10.230.152.0/24 <http://10.230.152.0/24> or host 224.0.0.252";
>        PacketFilter::install();
>        }
> 
> With such a sizeable filter, bro does checkout OK (broctl check), and it starts, but the spool directory never receives any traffic files. All we get is - 
> 
> root at bro00:/var/spool/bro/bro# ls
> communication.log  stderr.log  stdout.log
> 
> The stderr.log ends with - 
> 
> Warning: Kernel filter failed: Cannot allocate memory
> received termination signal
> 0 packets received on interface not open, 0 dropped
> 
> If I reduce the filters to just a couple of subnets (no more than 6), it works just fine. 
> 
> Any ideas greatly appreciated. 
> 
> Andy
> 
> 
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org <mailto:bro at bro-ids.org>
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro <http://mailman.icsi.berkeley.edu/mailman/listinfo/bro>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181217/d9951045/attachment-0001.html

More information about the Bro mailing list