[Bro] BPF Syntax/Runtime Problem

Jim Mellander jmellander at lbl.gov
Tue Dec 18 11:20:10 PST 2018 

Seems likely that the common denominator between bro & tcpdump is your
libpcap library.  Has that been updated?  Alternatively, you could try
compiling and linking against the latest libpcap from tcpdump.org.  Could
also be some sort of kernel issue, although that seems unlikely.

See https://seclists.org/tcpdump/2008/q4/180 for further info on the error
message

Hope this helps

On Mon, Dec 17, 2018 at 2:20 PM Andy Millett <andy at unimatrixzero.co.uk>
wrote:

> Hi Jim,
>
> Thanks a lot for the response.
>
> I removed the parentheses as suggested, and restarted the host itself. I
> do get a couple of files after the boot, one is the notice file -
>
> 0.000000 - - - - - - - - - PacketFilter::Install_Failure Installing
> packet filter failed (ip or not ip) and ((not (host 10.230.91.2) or (host
> 10.230.100.131)) and (not net 10.230.128.0/23 or net 10.230.64.0/23 or
> net 10.230.48.0/23 or net 10.230.130.0/23 or net 10.230.40.0/24 or net
> 10.230.237.0/24 or net 10.237.128.0/24 or net 10.230.108.0/24 or net
> 10.230.37.0/24 or net 10.230.38.0/24 or net 10.230.168.0/24 or net
> 10.230.72.0/24 or net 10.230.199.0/24 or net 10.230.177.0/24 or net
> 10.230.178.0/24 or net 10.230.179.0/24 or net 10.230.189.0/24 or net
> 10.230.183.0/24 or net 10.230.151.0/24 or net 10.230.165.0/24 or net
> 10.230.197.0/24 or net 10.230.167.0/24 or net 10.230.181.0/24 or net
> 10.230.31.0/24 or net 10.230.26.0/24 or net 10.230.180.0/24 or net
> 10.230.157.0/24 or net 10.230.159.0/24 or net 10.230.60.0/24 or net
> 10.230.150.0/24 or net 10.230.184.0/24 or net 10.230.202.0/24 or net
> 10.230.16.0/24 or net 10.230.156.0/24 or net 10.237.171.0/24 or net
> 10.230.76.0/24 or net 10.230.222.0/24 or net 10.230.186.0/24 or net
> 10.230.24.0/24 or net 10.237.162.0/24 or net 10.230.22.0/24 or net
> 10.230.112.0/23 or net 10.230.120.0/24 or net 10.230.163.0/24 or net
> 10.230.17.0/24 or net 10.230.152.0/24 or host 224.0.0.252)) - - - - bro
> Notice::ACTION_LO3600.000000 F - - - - -
>
> If I try to run the filter in tcpdump, I get
>
> Warning: Kernel filter failed: Cannot allocate memory
> tcpdump: can't remove kernel filter: No such file or directory
>
> The stderr.log file logs the same -
>
> Warning: Kernel filter failed: Cannot allocate memory
>
> The server is a VM with 16GB memory. Nothing else running on it but Bro
> (based OS is Kali 2018).
>
> Best regards
> Andy
>
>
>
> On 17 Dec 2018, at 20:50, Jim Mellander <jmellander at lbl.gov> wrote:
>
> Hi:
>
> I ran your filter on a local bro instance with no problems, although based
> on your description, shouldn't you have parentheses around the subnets in
> the restrict_filters["unmonitored nets"] expression? , i.e.
>
> restrict_filters["unmonitored nets"] = "not (net 10.230.128.0/23 or net
> 10.230.64.0/23 or net 10.230.48.0/23 or net 10.230.130.0/23 or net
> 10.230.40.0/24 or net 10.230.237.0/24 or net 10.237.128.0/24 or net
> 10.230.108.0/24 or net 10.230.37.0/24 or net 10.230.38.0/24 or net
> 10.230.168.0/24 or net 10.230.72.0/24 or net 10.230.199.0/24 or net
> 10.230.177.0/24 or net 10.230.178.0/24 or net 10.230.179.0/24 or net
> 10.230.189.0/24 or net 10.230.183.0/24 or net 10.230.151.0/24 or net
> 10.230.165.0/24 or net 10.230.197.0/24 or net 10.230.167.0/24 or net
> 10.230.181.0/24 or net 10.230.31.0/24 or net 10.230.26.0/24 or net
> 10.230.180.0/24 or net 10.230.157.0/24 or net 10.230.159.0/24 or net
> 10.230.60.0/24 or net 10.230.150.0/24 or net 10.230.184.0/24 or net
> 10.230.202.0/24 or net 10.230.16.0/24 or net 10.230.156.0/24 or net
> 10.237.171.0/24 or net 10.230.76.0/24 or net 10.230.222.0/24 or net
> 10.230.186.0/24 or net 10.230.24.0/24 or net 10.237.162.0/24 or net
> 10.230.22.0/24 or net 10.230.112.0/23 or net 10.230.120.0/24 or net
> 10.230.163.0/24 or net 10.230.17.0/24 or net 10.230.152.0/24 or host
> 224.0.0.252)";
>
> You might also take the filter in packet_filter.log and use that as the
> filter for a tcpdump and see if you are, in fact, capturing the traffic you
> expect.
>
> Hope this helps,
>
> Jim
>
>
> On Mon, Dec 17, 2018 at 6:37 AM Andy Millett <andy at unimatrixzero.co.uk>
> wrote:
>
>> Hi guys,
>>
>> We have a number of distributed Bro IDS sensors running on Raspberry Pi
>> hardware at over 50 MPLS sites which are small or medium size links
>> (anything up to 50Mbps). We have another 100 sites which don’t have sensors
>> deployed (yet), so we’re trying to capture as much additional information
>> for our ELK stack at the corporate HQ where most traffic goes. With this, I
>> want to bypass logging of subnets which already have a remote sensor
>> deployed to reduce duplication in ELK. I’ve been trying to use the BPF
>> syntax, but don’t appear to be very successful.
>>
>> For starters, I’ve tried this -
>>
>> event bro_init() &priority=-12
>>        {
>>        restrict_filters["ignore proxy node"] = "not (host 10.230.91.2)";
>> restrict_filters["unmonitored nets"] = "not net 10.230.128.0/23 or net
>> 10.230.64.0/23 or net 10.230.48.0/23 or net 10.230.130.0/23 or net
>> 10.230.40.0/24 or net 10.230.237.0/24 or net 10.237.128.0/24 or net
>> 10.230.108.0/24 or net 10.230.37.0/24 or net 10.230.38.0/24 or net
>> 10.230.168.0/24 or net 10.230.72.0/24 or net 10.230.199.0/24 or net
>> 10.230.177.0/24 or net 10.230.178.0/24 or net 10.230.179.0/24 or net
>> 10.230.189.0/24 or net 10.230.183.0/24 or net 10.230.151.0/24 or net
>> 10.230.165.0/24 or net 10.230.197.0/24 or net 10.230.167.0/24 or net
>> 10.230.181.0/24 or net 10.230.31.0/24 or net 10.230.26.0/24 or net
>> 10.230.180.0/24 or net 10.230.157.0/24 or net 10.230.159.0/24 or net
>> 10.230.60.0/24 or net 10.230.150.0/24 or net 10.230.184.0/24 or net
>> 10.230.202.0/24 or net 10.230.16.0/24 or net 10.230.156.0/24 or net
>> 10.237.171.0/24 or net 10.230.76.0/24 or net 10.230.222.0/24 or net
>> 10.230.186.0/24 or net 10.230.24.0/24 or net 10.237.162.0/24 or net
>> 10.230.22.0/24 or net 10.230.112.0/23 or net 10.230.120.0/24 or net
>> 10.230.163.0/24 or net 10.230.17.0/24 or net 10.230.152.0/24 or host
>> 224.0.0.252";
>>        PacketFilter::install();
>>        }
>>
>> With such a sizeable filter, bro does checkout OK (broctl check), and it
>> starts, but the spool directory never receives any traffic files. All we
>> get is -
>>
>> root at bro00:/var/spool/bro/bro# ls
>> communication.log  stderr.log  stdout.log
>>
>> The stderr.log ends with -
>>
>> Warning: Kernel filter failed: Cannot allocate memory
>> received termination signal
>> 0 packets received on interface not open, 0 dropped
>>
>> If I reduce the filters to just a couple of subnets (no more than 6), it
>> works just fine.
>>
>> Any ideas greatly appreciated.
>>
>> Andy
>>
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>> <http://mailman.icsi.berkeley.edu/mailman/listinfo/bro>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181218/a3f9e23e/attachment-0001.html

More information about the Bro mailing list