[Zeek] Zeek 2.6.1 - packet_filter - unable to filter out traffic

[Konrad Weglowski]

Hello,

I have added the following to local.bro in order to test filtering out
certain traffic from inspection:

redef restrict_filters += {
        ["Exclude Test"] = "not (src host 192.168.204.2 and dst host
8.8.8.8 and dst port 53)"
};

Bro restarts no problem but the filter is not taking effect. If I look at
packet_filter.log it is not showing up there either:

more packet_filter.log
#separator \x09
#set_separator  ,
#empty_field    (empty)
#unset_field    -
#path   packet_filter
#open   2019-03-05-19-16-49
#fields ts      node    filter  init    success
#types  time    string  string  bool    bool

I also tried adding the filter in broctl.cfg as per below:

broargs = -f 'not (src host 192.168.204.2 and dst host 8.8.8.8 and dst port
53)'

Argument would show up in the bro process list but again filter would not
take affect.

I have the same configuration in local.bro on another instance running Bro
v2.5.5 and it works. Below you can see output from packet_filter.log:

more packet_filter.log
#separator \x09
#set_separator  ,
#empty_field    (empty)
#unset_field    -
#path   packet_filter
#open   2019-03-05-19-09-48
#fields ts      node    filter  init    success
#types  time    string  string  bool    bool
1551812988.372400       bro     (ip or not ip) and (not (src host
192.168.204.2 and dst host 8.8.8.8 and dst port 53))  T       T

Do you know what could be the issue here?

Also is there another way of filtering out traffic? For example have a file
with bunch of BPF filters that could be passed on to Bro at startup instead
of modifying the local.bro file each time traffic needs to be excluded?

Thank You

Konrad
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190305/f262914f/attachment.html