PacketFilter

Zeek
1

I’m attemtpting to impement a packet filter to drop multicast traffic but I’m not having success.

This is what I have in local.bro:

@load base/frameworks/packet-filter
redef capture_filters += {
[“ip”] = “ip”,
[“non-ip”] = “not ip”
};

redef restrict_filters += { [“not-multicast”] = “net 224.0.0.0/4” };

Which according to the FAQ (https://www.bro.org/documentation/faq.html) should produce a BPF like:

((ip) or (not ip)) and (not net 224.0.0.0/4)

But I’m still seeing multicast in the conn log:

1489855468.534667 CM5Ehj4nefU23EOeyj 192.168.20.8 41340 239.254.127.63 60000 udp

It looks like the filters are being implemented:

[BroControl] > print capture_filters
ext-1 capture_filters = {
[non-ip] = not ip,
[ip] = ip
}

[BroControl] > print restrict_filters
ext-1 restrict_filters = {
[not-multicast] = net 224.0.0.0/4
}

Am I missing a step?

-Dave

2

You could always just add it to your broctl.conf like so:

broargs = --filter 'your bpf here'

James

3

That method worked perfect, thanks James.

I am curious if I was doing something wrong or if PacketFilter is buggy.

4

Damnit. I spoke too soon:

1489860004.749780 C7LM4TvxWGSWhxOL1 192.168.20.8 40972 239.254.127.63 60000

5

tcpdump doesn’t enforce the filter either.

$ sudo tcpdump -nn -i netmap:eth2/Rz not net 224.0.0.0/4 | grep 60000

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on netmap:eth2/Rz, link-type EN10MB (Ethernet), capture size 262144 bytes
15:11:26.286104 IP 192.168.20.8.40364 > 239.254.127.63.60000: UDP, length 44
15:11:26.497024 IP 192.168.20.8.47779 > 239.254.127.63.60000: UDP, length 44
15:11:26.950899 IP 192.168.20.8.38593 > 239.254.127.63.60000: UDP, length 44

I’m at a loss now.

6

That’s weird…I can’t reproduce that here…on Ubuntu 16 across the board here. Maybe libpcap or interface issue? My only guess.

7

Thanks for validating James. I’m running netmap + netmap-libpcap and then compiled tcpdump 4.9.0. So looking like a netmap bug.

8

You bet…good luck with the fix…I’d be curious to know what the fix is.

James

9

Does tcpdump -ve show any encapsulation like vlans is in use? You may need to use

sudo tcpdump -nn -i netmap:eth2/Rz vlan and not net 224.0.0.0/4

Or it's a bug in netmap :slight_smile:

10

Does tcpdump -ve show any encapsulation like vlans is in use? You may need to use

sudo tcpdump -nn -i netmap:eth2/Rz vlan and not net 224.0.0.0/4

Or it’s a bug in netmap :slight_smile:

  • Justin Azoff

I built a new Bro cluster without Netmap (standard libpcap-dev libraries for Debian 8.7) and the BPF works as expected:

$ sudo tcpdump -nn -i eth2 net 224.0.0.0/4 | grep 60000
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 262144 bytes

14:38:37.656784 IP 192.168.20.4.34697 > 239.254.127.63.60000: UDP, length 44
14:38:37.656799 IP 192.168.20.4.34697 > 239.254.127.63.60000: UDP, length 44
14:38:37.656974 IP 192.168.20.4.45799 > 239.254.127.63.60000: UDP, length 44

AND

$ sudo tcpdump -nn -i eth2 not net 224.0.0.0/4 | grep 60000
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 262144 bytes

4866 packets received by filter
0 packets dropped by kernel

-Dave

11

And there you go…I think I attempted netmap a couple months ago…didn’t have good results, so stuck with af_packet. Looks like netmap needs a massage.

James

12

Could you try using the netmap plugin for Bro instead of the modified libpcap? The filtering should work correctly there.

  .Seth

13

Sure, I’ll uninstall netmap-libpcap, install the standard Debian libpcap-dev and recompile Bro. Will respond back with observations.

14

You don’t need to do that if you don’t want to. Just compile and install the netmap plugin that ships with Bro 2.5. Check out the README that comes with it too because it explains how to configure a cluster with the netmap plugin.

.Seth