Some BPF love....

Sent this off to the SecurityOnion group, but probably should have
sent it here. Oopsy!


Please....I know I must be doing something noobish...but man, I have
tried it 15 ways to Sunday and no love.

editing: /nsm/bro/spool/policy/site/local.bro

added "redef cmd_line_bpf_filter = "not src host ipaddress";

I want to tweak a tad more based on dst port, but need to at least get
the filter working for the IP.

I then do a check/install/restart

I watch BRO dns.log for the for the IP I added and she shows up. What
the heck am I missing?

Any help much appreciated.

I've only briefly tested SecurityOnion, but in vanilla Bro, you would
add something like this to local.bro. That file is located under

redef restrict_filters += { ["host exemptions"] = "not (host" };

I don't know SecuritiyOnion's layout, but I don't think you want to add
it under spool. That is typically where runtime files are created.


Might also need

redef PacketFilter::all_packets = F; # don't capture all packets

Hey Tyler

Thanks, I was updating it in the spool folder based on the DOC I was
reading out on the SO groups site. I thought it was wierd that I
update in the spool location and not the share location. Maybe I was
just reading it wrong in the DOC. I have been known to skin reading
and not completely reading it fully. :slight_smile: Anyway, made the updates in
the location you mentioned and it seems to be working. I am not using
your syntax though, I am using this:

redef cmd_line_bpf_filter = "not (host x.x.x.x)";

Worked like a champ. Now I will tweak to include dest port and should
be good to go. Thanks man. Got me on the right track!


Thanks for finding this documentation bug! It is now fixed.

If I understand Seth correctly, we won't have to do this anymore in
Bro 2.1 since it will just read our existing bpf.conf.


Thanks for pointing that out! That bit of poor design is unfortunately still going to remain for 2.1, but it will absolutely be gone for 2.2. I'll make sure that in the 2.2 release we have good examples for the new way of working with the packet filter framework.

For anyone making changes to your packet filter now, please keep your changes in one place so that it will be easier to upgrade to 2.2 when that time comes.


I'll probably commit a script to a personal repository on github which you can then run on security onion for 2.1. I don't want to include in the 2.1 release since it will be a little hacky since the rewritten packet filter framework isn't going to be included yet.