Help，About Packet Filter

my1 · January 22, 2020, 2:42am

Hi，friends:

I use restrict_filters to filter the traffic. but the settings did not take effect, all of the traffic was filtered. What should I do?

My script is as follows:

redef restrict_filters += {

      ["unmonitored host"] = "host 123.2.15.75"
};

I am looking forwoard to your replay. Thakns.

JustinAzoff · January 23, 2020, 4:15pm

Is your traffic encapsulated with vlan tags? Does changing the filter to

    vlan and host 123.2.15.75

work any better?

my1 · March 2, 2020, 6:33am

Hi,
I tested the config you provided, but it didn’t work. I read the source code and used the following config for traffic filtering. It’s not perfect.

Iredef packet_filter_default = F;

event zeek_init()
{
    install_src_addr_filter($ip=123.2.15.75, $tcp_flags=63, $prob=1.0);

    install_src_addr_filter($ip=123.2.15.75, $tcp_flags=1, $prob=1.0);

    install_src_addr_filter($ip=123.2.15.75, $tcp_flags=2, $prob=1.0);

    install_src_addr_filter($ip=123.2.15.75, $tcp_flags=4, $prob=1.0);
...

Topic		Replies	Views
Filtering help Zeek	11	1142	May 6, 2022
Zeek 2.6.1 - packet_filter - unable to filter out traffic Zeek	1	203	May 6, 2022
Error with filters Zeek	2	103	May 6, 2022
Bro restrict filters question Zeek	4	118	May 6, 2022
Error with filters Zeek	1	127	May 6, 2022

Help，About Packet Filter

Related topics