Good Evening Bro Team,
I have ran into an issue with using the BPF packet filter. I have had the same issue using Bro2.2, 2.3.1, and 2.3.411 on both Ubuntu 14.04 and Gentoo 3.0.2. The way I am calling the packet filter is through the local.bro file using this command:
PacketFilter::exclude(“ignore_this_conn”,“host 10.8.0.85 and port 53”);
and you can see it accepted the filter using “broctl diag”:
1423442280.253256 bro (ip or not ip) and (not (host 10.8.0.85 and port 53)) T T
If you used an incorrect bpf filter like “source.host 10.8.0.85” the “broctl diag” would give you nothing:
1423442280.253847 bro (ip or not ip) T T
What I am currently trying to do is exclude dns traffic with a destination of this host and port 53:
(dst host 10.8.0.85 and dst port 53)
When I add this in the exclude statement the bpf is accepted
1423442632.139980 bro (ip or not ip) and (not (dst host 10.8.0.85 and dst port 53)) T T
However, the traffic is still being allowed and not excluded
1423442692.141824 C7pSulFJiU150KhFk 10.8.1.43 46088 10.8.0.85 53 udp 33647 - - - - -
The only way I have been able to successfully get this to work is by defining only “host” or “port”, I have not been able to get this to be successful using a “src host”, “dst host”, “src port”, or “dst port”.
This creates a problem to the point it’s almost unusable to me as I cannot ignore all traffic for “host 10.8.0.85 and port 53”.
Any help with this would be greatly appreciated!
Adam B. Hall | CCNA
Senior Security Analyst
Office: 1-800-538-9357 x 122
Quadrant Information Security
4651 Salisbury Road, Suite 185 | Jacksonville, FL 32256
See our Quadrant Video