Bro restrict filters question

Edgmand_Craig · June 13, 2017, 2:59pm

Hello,

I am running Bro 2.5 and I am trying to set up some restrict_filters to drop certain hosts and types of traffic.

I have the following entries in my local.bro…

redef PacketFilter::enable_auto_protocol_capture_filters = F;
redef capture_filters = { [“packets-like-this”] = “ip or not ip” };
redef restrict_filters = { [“no-data-like-this”] = “not host 192.168.2.1” };

I had something similar in earlier versions of Bro that seemed to work but this doesn’t work at all.

When I run ./broctl print restrict_filters it shows that the workers have that filter.

Any ideas?

Thanks,

Craig Edgmand

Oklahoma State University

Azoff_Justin_S · June 13, 2017, 3:12pm

Is your traffic vlan tagged? You may need to use

redef restrict_filters = { ["no-data-like-this"] = "vlan and not host 192.168.2.1" };

Edgmand_Craig · June 13, 2017, 7:05pm

Oddly enough it works with tcpdump but not with Bro.

johanna · June 22, 2017, 7:20pm

Can you check if "broctl "print PacketFilter::current_filter" looks
reasonable, and if the exact filter it returns works for you with tcpdump?

Johanna

Topic		Replies	Views
restrict_filters not preventing logging of selected IP addresses Zeek	2	95	May 6, 2022
Bro 0.8 and vlans Zeek	1	67	May 6, 2022
Adding options to bro managed by broctl Zeek	4	81	May 6, 2022
PacketFilter Zeek	14	121	May 6, 2022
Problem changing restrict_filters Zeek	2	89	May 6, 2022

Bro restrict filters question

Related topics