Question about bpf filter and SSL/TLS and/or encrypted connections
457 views
Skip to first unread message
C. L. Martinez
Mar 17, 2018, 3:27:05 AM3/17/18
to moloc...@googlegroups.com
Hi all,
I am trying to configure a bpf filter under Moloch to save only interesting bits on encrypted connections and don't record all traffic. For example for SSL/TLS I want to grab enough to make sure I get the certificate exchange and the cypher negotiation — anything else is of little interest. Same with SSH.
Do I need to configure a bpf filter and dontSaveTags at the same time? Or can I accomplish this using dontSaveBPFs only?
For example, for port 443 and 22
dontSaveBPFs = port 22:6; port 443:6
Is this correct?
Thanks.
--
Greetings,
C. L. Martinez
I am trying to configure a bpf filter under Moloch to save only interesting bits on encrypted connections and don't record all traffic. For example for SSL/TLS I want to grab enough to make sure I get the certificate exchange and the cypher negotiation — anything else is of little interest. Same with SSH.
Do I need to configure a bpf filter and dontSaveTags at the same time? Or can I accomplish this using dontSaveBPFs only?
For example, for port 443 and 22
dontSaveBPFs = port 22:6; port 443:6
Is this correct?
Thanks.
--
Greetings,
C. L. Martinez
Andy
Mar 20, 2018, 10:03:59 AM3/20/18
to Moloch Full Packet Capture
Starting with 0.19 Rules files are the way to do this. https://github.com/aol/moloch/wiki/RulesFormat
Come over to slack :)
Reply all
Reply to author
Forward
0 new messages