Hi all,
After installing my first bro cluster with one manager and three
workers, now I need to configure different bpf filters for every bro
worker.
If I am not worng, I need to put an entry like this:
redef cmd_line_bpf_filter = "ip and port 80 or port 443"; (for example)
under local.bro file on every worker node. Is this correct for Bro 2.2??
Thanks.
Oops, my mistake. I have modified local.bro in one of the workers:
##! Local site policy. Customize as appropriate.
##!
##! This file will not be overwritten when upgrading or reinstalling!
redef PacketFilter::enable_auto_protocol_capture_filters = F;
redef capture_filters = { ["all"] = "ip or not ip" };
redef restrict_filters = { ["not-hosts"] = "not host 10.10.1.15" };
but it doesn't works:
[BroControl] > print restrict_filters
manager restrict_filters = {
}
proxy-1 restrict_filters = {
}
worker-1 restrict_filters = {
}
[BroControl] >
What am I doing wrong??
Uhmm ok, doing same config using local-worker.bro file, it works:
[BroControl] > print restrict_filters
manager restrict_filters = {
}
proxy-1 restrict_filters = {
}
worker-1 restrict_filters = {
[not-hosts] = not host 10.196.0.15
}
Then, how can I discriminate by worker and assign a different bpf
filter to each one??