include all with exclude
24 views
Skip to first unread message
caphrim007
Sep 13, 2010, 12:12:45 PM9/13/10
to flow-tools
Hi folks. I'm trying to use flow-filter or flow-nfilter to strip out
certain addresses in flows sent to flow-print.
I've tried both flow-filter and flow-nfilter and havent been able to
get it right in either. Here's my flow-nfilter attempt
filter-primitive site-addy
type ip-address-mask
permit 192.168.0.0 255.255.0.0
filter-primitive dns-resolver
type ip-address-mask
deny 192.168.11.46 255.255.255.255
filter-definition flow-box
match ip-source-address dns-resolver
or
match ip-destination-address dns-resolver
or
match ip-source-address site-addy
or
match ip-destination-address site-addy
I receive a bunch of netflow out of a single pipe. That netflow as
several class B's in it. I only want to see the 192.168.0.0 class B.
And from that, I want to remove all the flows for 192.168.11.46 before
I piped it to flow-print.
I was hoping the above would do just that but 11.46 addresses continue
to get past the filter.
If I merge the rules like this
filter-primitive site-addy
type ip-address-mask
deny 192.168.11.46 255.255.255.255
permit 192.168.0.0 255.255.0.0
filter-definition flow-box
match ip-source-address site-addy
or
match ip-destination-address site-addy
The 11.46 addresses also continue to match
Any help would be appreciated. Thanks.
certain addresses in flows sent to flow-print.
I've tried both flow-filter and flow-nfilter and havent been able to
get it right in either. Here's my flow-nfilter attempt
filter-primitive site-addy
type ip-address-mask
permit 192.168.0.0 255.255.0.0
filter-primitive dns-resolver
type ip-address-mask
deny 192.168.11.46 255.255.255.255
filter-definition flow-box
match ip-source-address dns-resolver
or
match ip-destination-address dns-resolver
or
match ip-source-address site-addy
or
match ip-destination-address site-addy
I receive a bunch of netflow out of a single pipe. That netflow as
several class B's in it. I only want to see the 192.168.0.0 class B.
And from that, I want to remove all the flows for 192.168.11.46 before
I piped it to flow-print.
I was hoping the above would do just that but 11.46 addresses continue
to get past the filter.
If I merge the rules like this
filter-primitive site-addy
type ip-address-mask
deny 192.168.11.46 255.255.255.255
permit 192.168.0.0 255.255.0.0
filter-definition flow-box
match ip-source-address site-addy
or
match ip-destination-address site-addy
The 11.46 addresses also continue to match
Any help would be appreciated. Thanks.
Reply all
Reply to author
Forward
0 new messages