BPF Syntax/Runtime Problem

Zeek
1

Hi guys,

We have a number of distributed Bro IDS sensors running on Raspberry Pi hardware at over 50 MPLS sites which are small or medium size links (anything up to 50Mbps). We have another 100 sites which don’t have sensors deployed (yet), so we’re trying to capture as much additional information for our ELK stack at the corporate HQ where most traffic goes. With this, I want to bypass logging of subnets which already have a remote sensor deployed to reduce duplication in ELK. I’ve been trying to use the BPF syntax, but don’t appear to be very successful.

For starters, I’ve tried this -

event bro_init() &priority=-12
{
restrict_filters[“ignore proxy node”] = “not (host 10.230.91.2)”;
restrict_filters[“unmonitored nets”] = “not net 10.230.128.0/23 or net 10.230.64.0/23 or net 10.230.48.0/23 or net 10.230.130.0/23 or net 10.230.40.0/24 or net 10.230.237.0/24 or net 10.237.128.0/24 or net 10.230.108.0/24 or net 10.230.37.0/24 or net 10.230.38.0/24 or net 10.230.168.0/24 or net 10.230.72.0/24 or net 10.230.199.0/24 or net 10.230.177.0/24 or net 10.230.178.0/24 or net 10.230.179.0/24 or net 10.230.189.0/24 or net 10.230.183.0/24 or net 10.230.151.0/24 or net 10.230.165.0/24 or net 10.230.197.0/24 or net 10.230.167.0/24 or net 10.230.181.0/24 or net 10.230.31.0/24 or net 10.230.26.0/24 or net 10.230.180.0/24 or net 10.230.157.0/24 or net 10.230.159.0/24 or net 10.230.60.0/24 or net 10.230.150.0/24 or net 10.230.184.0/24 or net 10.230.202.0/24 or net 10.230.16.0/24 or net 10.230.156.0/24 or net 10.237.171.0/24 or net 10.230.76.0/24 or net 10.230.222.0/24 or net 10.230.186.0/24 or net 10.230.24.0/24 or net 10.237.162.0/24 or net 10.230.22.0/24 or net 10.230.112.0/23 or net 10.230.120.0/24 or net 10.230.163.0/24 or net 10.230.17.0/24 or net 10.230.152.0/24 or host 224.0.0.252”;
PacketFilter::install();
}

With such a sizeable filter, bro does checkout OK (broctl check), and it starts, but the spool directory never receives any traffic files. All we get is -

root@bro00:/var/spool/bro/bro# ls
communication.log stderr.log stdout.log

The stderr.log ends with -

Warning: Kernel filter failed: Cannot allocate memory
received termination signal
0 packets received on interface not open, 0 dropped

If I reduce the filters to just a couple of subnets (no more than 6), it works just fine.

Any ideas greatly appreciated.

Andy

2

Hi:

I ran your filter on a local bro instance with no problems, although based on your description, shouldn’t you have parentheses around the subnets in the restrict_filters[“unmonitored nets”] expression? , i.e.

restrict_filters[“unmonitored nets”] = “not (net 10.230.128.0/23 or net 10.230.64.0/23 or net 10.230.48.0/23 or net 10.230.130.0/23 or net 10.230.40.0/24 or net 10.230.237.0/24 or net 10.237.128.0/24 or net 10.230.108.0/24 or net 10.230.37.0/24 or net 10.230.38.0/24 or net 10.230.168.0/24 or net 10.230.72.0/24 or net 10.230.199.0/24 or net 10.230.177.0/24 or net 10.230.178.0/24 or net 10.230.179.0/24 or net 10.230.189.0/24 or net 10.230.183.0/24 or net 10.230.151.0/24 or net 10.230.165.0/24 or net 10.230.197.0/24 or net 10.230.167.0/24 or net 10.230.181.0/24 or net 10.230.31.0/24 or net 10.230.26.0/24 or net 10.230.180.0/24 or net 10.230.157.0/24 or net 10.230.159.0/24 or net 10.230.60.0/24 or net 10.230.150.0/24 or net 10.230.184.0/24 or net 10.230.202.0/24 or net 10.230.16.0/24 or net 10.230.156.0/24 or net 10.237.171.0/24 or net 10.230.76.0/24 or net 10.230.222.0/24 or net 10.230.186.0/24 or net 10.230.24.0/24 or net 10.237.162.0/24 or net 10.230.22.0/24 or net 10.230.112.0/23 or net 10.230.120.0/24 or net 10.230.163.0/24 or net 10.230.17.0/24 or net 10.230.152.0/24 or host 224.0.0.252)”;

You might also take the filter in packet_filter.log and use that as the filter for a tcpdump and see if you are, in fact, capturing the traffic you expect.

Hope this helps,

Jim

3

Hi Jim,

Thanks a lot for the response.

I removed the parentheses as suggested, and restarted the host itself. I do get a couple of files after the boot, one is the notice file -

0.000000 - - - - - - - - - PacketFilter::Install_Failure Installing packet filter failed (ip or not ip) and ((not (host 10.230.91.2) or (host 10.230.100.131)) and (not net 10.230.128.0/23 or net 10.230.64.0/23 or net 10.230.48.0/23 or net 10.230.130.0/23 or net 10.230.40.0/24 or net 10.230.237.0/24 or net 10.237.128.0/24 or net 10.230.108.0/24 or net 10.230.37.0/24 or net 10.230.38.0/24 or net 10.230.168.0/24 or net 10.230.72.0/24 or net 10.230.199.0/24 or net 10.230.177.0/24 or net 10.230.178.0/24 or net 10.230.179.0/24 or net 10.230.189.0/24 or net 10.230.183.0/24 or net 10.230.151.0/24 or net 10.230.165.0/24 or net 10.230.197.0/24 or net 10.230.167.0/24 or net 10.230.181.0/24 or net 10.230.31.0/24 or net 10.230.26.0/24 or net 10.230.180.0/24 or net 10.230.157.0/24 or net 10.230.159.0/24 or net 10.230.60.0/24 or net 10.230.150.0/24 or net 10.230.184.0/24 or net 10.230.202.0/24 or net 10.230.16.0/24 or net 10.230.156.0/24 or net 10.237.171.0/24 or net 10.230.76.0/24 or net 10.230.222.0/24 or net 10.230.186.0/24 or net 10.230.24.0/24 or net 10.237.162.0/24 or net 10.230.22.0/24 or net 10.230.112.0/23 or net 10.230.120.0/24 or net 10.230.163.0/24 or net 10.230.17.0/24 or net 10.230.152.0/24 or host 224.0.0.252)) - - - - bro Notice::ACTION_LO3600.000000 F - - - - -

If I try to run the filter in tcpdump, I get

Warning: Kernel filter failed: Cannot allocate memory
tcpdump: can’t remove kernel filter: No such file or directory

The stderr.log file logs the same -

Warning: Kernel filter failed: Cannot allocate memory

The server is a VM with 16GB memory. Nothing else running on it but Bro (based OS is Kali 2018).

Best regards
Andy

4

Seems likely that the common denominator between bro & tcpdump is your libpcap library. Has that been updated? Alternatively, you could try compiling and linking against the latest libpcap from tcpdump.org. Could also be some sort of kernel issue, although that seems unlikely.

See https://seclists.org/tcpdump/2008/q4/180 for further info on the error message

Hope this helps