Problem changing restrict_filters

Zeek
1

I am having an issue with changing my restrict_filters that I setup a while back. I don’t know if I am just forgetting how this works, but if someone can help me out here it would be much appreciated.

Previously I had added a section to my local.bro file to restrict the traffic some of my nodes are seeing. I used the following syntax with some dummy IP’s for an example:

const idsvm4_hosts = “192.168.0.1 or 192.168.0.2”;

redef PacketFilter::enable_auto_protocol_capture_filters = T;
redef capture_filters = { [“all”] = “ip or not ip” };
redef restrict_filters = { [“local-src”] = “src host (”+idsvm4_hosts+")" };
redef restrict_filters += { [“local-dst”] = “dst host (”+idsvm4_hosts+")" };

When I did this, I could use the print command in broctl to see that it was in fact working as expected. (print restrict_filters idsvm4)

Now I am trying to change this list, and so I have edited the const I declared previously. I added a few hosts to idsvm4_hosts, and I did an install and restart. When I run the same print, I get back the original restrict_filters. It looks like the node keeps the old one.

while troubleshooting this I have gone as far as to completely remove all my code about packet filters. I issued an install, and restarted the entire cluster. Still the print statement returns with the ORIGINAL restrict_filters I set a few months ago. I feel like I must be missing something here, but I just can’t remember what I did. I know I made this variable so that in the future I could easily update it, but here I am trying to update it with no success.

2

I think I have the issue resolved, but I can’t give more than a guess as to what was wrong. After not being able to update this I decided to delete one worker node and just completely re-install it. After doing this, it still returned the same restrict_filter (which it shouldn’t have ever seen before).

I noticed that even after stopping the process through broctl, there was still multiple processes running on the node. I rebooted the machine, and installed a second time. This time everything seems to be working as expected.

My only guess is that it might have something to do with trying to do an update rather than a restart. The first time I attempted this, I did an install to push the change and then an update. That didn’t appear to work so I tried restarting. After I rebooted my node I have always just been doing install followed by a restart to pull in the changes. Since doing this my changes seem to apply correctly.

Wish I had something more definitive, but maybe it will save someone some time.