Good Evening Bro Team,

I have ran into an issue with using the BPF packet filter. I have had the same issue using Bro2.2, 2.3.1, and 2.3.411 on both Ubuntu 14.04 and Gentoo 3.0.2. The way I am calling the packet filter is through the local.bro file using this command:

Packet Filter options

event bro_init()
{
PacketFilter::exclude(“ignore_this_conn”,“host 10.8.0.85 and port 53”);
}

and you can see it accepted the filter using “broctl diag”:

1423442280.253256 bro (ip or not ip) and (not (host 10.8.0.85 and port 53)) T T

If you used an incorrect bpf filter like “source.host 10.8.0.85” the “broctl diag” would give you nothing:

1423442280.253847 bro (ip or not ip) T T

What I am currently trying to do is exclude dns traffic with a destination of this host and port 53:

(dst host 10.8.0.85 and dst port 53)

When I add this in the exclude statement the bpf is accepted

1423442632.139980 bro (ip or not ip) and (not (dst host 10.8.0.85 and dst port 53)) T T

However, the traffic is still being allowed and not excluded

1423442692.141824 C7pSulFJiU150KhFk 10.8.1.43 46088 10.8.0.85 53 udp 33647 - - - - -

The only way I have been able to successfully get this to work is by defining only “host” or “port”, I have not been able to get this to be successful using a “src host”, “dst host”, “src port”, or “dst port”.

This creates a problem to the point it’s almost unusable to me as I cannot ignore all traffic for “host 10.8.0.85 and port 53”.

Any help with this would be greatly appreciated!

Thank You,

Adam B. Hall | CCNA
Senior Security Analyst

Office: 1-800-538-9357 x 122
Mobile: 1-904-303-3198
Quadrant Information Security
4651 Salisbury Road, Suite 185 | Jacksonville, FL 32256

See our Quadrant Video
https://quadrantsec.com/SaganMSSP/

It’s unlikely that you are ever going to want to use the “src” or “dst” modifiers in filters meant for Bro. Bro is intended to look at both directions of traffic to successfully analyze connections and you are intrinsically breaking that when you use src or dst.

What is the end result you’re trying to get to? You just don’t want to see dns traffic involving host 10.8.0.85?

The problem here is that there is a disjoint in the semantics of BPF and the typical semantics of Bro. Bro operates on connections (and flows to a slightly lesser degree currently). BPF is completely oriented around packets. It causes these little confusions unfortunately.

  .Seth

Adam,

What you describe here is a fairly straightforward match/action rule - in your case you want perform some action when you receive dst host 10.8.0.56 / dst port 53 / src host X / src port Y traffic - right? This operation can be done on an intelligent NIC card without any interaction with Bro (or BPF for that matter).

If you would like more information on how we could help solve this problem, please email me privately.

Regards,
DJ Root

Is there any reason why you cannot share this kind of information on
the list, so everyone can benefit?

Looks like man ethtool, right?

Michal,

No, there is not. However, I come from the vendor side and, therefore, don’t want to disrupt the integrity of a technology mailing list. That said we have Bro running in our lab, so our claims can be supported by real data and demos.

As far as the question below is concerned, we (Netronome) have intelligent NICs and software to do match / action operations in hardware. We can set-up 5-tuple filtering in hardware which can address Adam’s problem. Result - BPF is off-loaded from the CPU; Bro is not changed, but now has more CPU cycles to process flows.

Regards,
DJ Root

DJ Root
Director of Sales, Americas East and EMEA
Netronome, Inc.
(617)686-0253

Do you use X520 chip by accident?

No. We design and develop our own ASIC (Flow Processor). It is the NFP32xx and NFP6xxx. We use Intel as our foundry.

Regards,
DJ