filtering out traffic with bpf

[Greg Williams]

For the life of me I cannot get any of the bpf filters to work. I've tried adding the following to /etc/nsm/xxxxx/bpf.conf and still see the traffic in /nsm/bro/logs/current/conn.log after I run service nsm restart

(not (host 192.43.217.198 or host 198.189.255.6 or host 198.189.255.2))

I've also tried:

not host 192.43.217.198
not host 198.189.255.6
not host 198.189.255.2

any ideas?

[Heine Lysemose]

Hi Greg

Have looked at this page, https://code.google.com/p/security-onion/wiki/BPF, you have to edit /etc/nsm/rules/bpf.conf

/Lysemose

--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/groups/opt_out.

[Greg Williams]

The configuration is in there as well, but it is not eliminating the traffic. Thank you, yes, I did see the page, but the filter doesn't work. I still see the traffic. I also tested my syntax with tcpdump and was able to successfully not see the traffic so I know my syntax was correct.

[Heine Lysemose]

Have you broken the symlinks, if so you should edit bro-bpf.conf

Regards,
Lysemose

The configuration is in there as well, but it is not eliminating the traffic.  Thank you, yes, I did see the page, but the filter doesn't work.  I still see the traffic.  I also tested my syntax with tcpdump and was able to successfully not see the traffic so I know my syntax was correct.

[Greg Williams]

Symlinks still in place. The filter is in there.

root@xxxx:/home/xxxx# cat /etc/nsm/xxxx-eth0/bpf-bro.conf

[Greg Williams]

Ok now I know what happened, sorry, my fault. I commented out bpfconf out of the securityonion bro loading script because it was causing a 40% increase of CPU usage. Uncommented it and it's back up to causing a 40% increase load. Thanks for your help.

[Heine Lysemose]

No problem.

/Lysemose

On Feb 7, 2014 8:07 PM, "Greg Williams" <alpha...@gmail.com> wrote:

Ok now I know what happened, sorry, my fault.  I commented out bpfconf out of the securityonion bro loading script because it was causing a 40% increase of CPU usage.  Uncommented it and it's back up to causing a 40% increase load.  Thanks for your help.

[Doug Burks]

40% increase in CPU usage seems high for that one little Bro script.
Are you able to provide some "top" output showing before and after?

On Fri, Feb 7, 2014 at 2:07 PM, Greg Williams <alpha...@gmail.com> wrote:
> Ok now I know what happened, sorry, my fault. I commented out bpfconf out of the securityonion bro loading script because it was causing a 40% increase of CPU usage. Uncommented it and it's back up to causing a 40% increase load. Thanks for your help.
>

> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/groups/opt_out.

--
Doug Burks

[Greg Williams]

Attached. ~30% increase currently. ~9.5Ghz to ~16.3Ghz

[Doug Burks]

I'm not sure I understand. Where are you getting "~9.5Ghz to
~16.3Ghz"? top_bro_before_bpf shows your load average as 7.05 and
top_bro_after_bpf shows your load average as 6.71, so your load
average actually went down after loading bpf.

On Fri, Feb 7, 2014 at 3:25 PM, Greg Williams <alpha...@gmail.com> wrote:
> Attached. ~30% increase currently. ~9.5Ghz to ~16.3Ghz
>

[Heine Lysemose]

Hi

I'm not sure about the GHz-thing but I think he is referring to that BRO processes is now using 100% CPU time after he enabled bpf while ~70 before.

/Lysemose

[Greg Williams]

Sorry, yes, overall CPU usage. Yes, the load average goes down, but overall CPU usage jumps by 30%. user % goes down on bro processes, but system % goes up. Causing overall utilization of the CPU to be near 100% and eventually leads to packet loss on pf_ring.

[Doug Burks]

Is it possible that the CPU spikes are caused by traffic spikes
instead of the bpf script?

On Fri, Feb 7, 2014 at 6:32 PM, Greg Williams <alpha...@gmail.com> wrote:
> Sorry, yes, overall CPU usage. Yes, the load average goes down, but overall CPU usage jumps by 30%. user % goes down on bro processes, but system % goes up. Causing overall utilization of the CPU to be near 100% and eventually leads to packet loss on pf_ring.
>

[Greg Williams]

No it's repeatable every time. As soon as I enable the script, CPU jumps 30%-40%. When disabled, the CPU drops. Here are several top commands with and without the script. As well as a graphical screenshot of CPU usage. I enabled and disabled the script twice so you could see more clearly.

[Doug Burks]

Just to confirm, how exactly are you enabling/disabling the bpf script?

On Mon, Feb 10, 2014 at 10:34 AM, Greg Williams <alpha...@gmail.com> wrote:
> No it's repeatable every time. As soon as I enable the script, CPU jumps 30%-40%. When disabled, the CPU drops. Here are several top commands with and without the script. As well as a graphical screenshot of CPU usage. I enabled and disabled the script twice so you could see more clearly.
>

[Greg Williams]

Commenting in/out the bpfconf line here:

/opt/bro/share/bro/securityonion/__load__.bro

and restarting bro/nsm

[Doug Burks]

After modifying __load__.bro, are you then running "sudo broctl
install" before restarting Bro? I think that's necessary to install
the new config.

[Greg Williams]

I wasn't doing that, but same result even if I run it.

[Seth Hall]

On Feb 10, 2014, at 2:49 PM, Greg Williams <alpha...@gmail.com> wrote:

> I wasn't doing that, but same result even if I run it.

Generally the bpfconf.bro script shouldn't be causing any load in and of itself. It doesn't really do anything except load and install bpf filters from files.

One thing that Bro does when that file is loaded is to automatically load the contents of your bpf file whenever you modify it so we can actually check to see what's going on while Bro is running. So, make sure you are loading the bpfconf.bro script then go into broctl and run the "install" command, then the "restart" command.

Now that Bro is running and we're reasonably sure that you have the bpfconf.bro script running, cd to /nsm/bro/logs/current/. Check in the packet_filter.log file to see if your packet filter was correctly set. Also check your notice.log because if the filter you wrote was invalid Bro will have logged there to tell you that you wrote an invalid filter. You may also want to check to check reporter.log just to see if there is something else failing too.

While Bro is running you can make changes to your bpf filter file and check back on the /nsm/bro/logs/current/packet_filter.log file because it should update whenever you make changes (unless you give it an invalid filter in which case there will be a notice in notice.log).

.Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/

[Greg Williams]

Thanks Seth. I don't see any warnings from reporter.log or notice.log about bpf. I do notice that the packet filter is only applied to 5 out of 6 processes though.

root@xxxxxx:/nsm/bro/logs/current# cat packet_filter.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path packet_filter
#open 2014-02-11-17-42-56
#fields ts node filter init success
#types time string string bool bool
1392140578.656121 xxxxxx-eth0-1 (not (host 192.43.217.198 or host 198.189.255.6 or host 198.189.255.2 )) F T
1392140578.869884 xxxxxx-eth0-3 (not (host 192.43.217.198 or host 198.189.255.6 or host 198.189.255.2 )) F T
1392140578.606291 xxxxxx-eth0-4 (not (host 192.43.217.198 or host 198.189.255.6 or host 198.189.255.2 )) F T
1392140578.948704 xxxxxx-eth0-5 (not (host 192.43.217.198 or host 198.189.255.6 or host 198.189.255.2 )) F T
1392140579.047345 xxxxxx-eth0-2 (not (host 192.43.217.198 or host 198.189.255.6 or host 198.189.255.2 )) F T

CPU usage spikes even if I remove all filters. Just by having bpfconf.bro on, CPU spikes.

If this a bro problem, I can move it to that mailing list.

[Seth Hall]

On Feb 11, 2014, at 12:54 PM, Greg Williams <alpha...@gmail.com> wrote:

> I do notice that the packet filter is only applied to 5 out of 6 processes though.

Huh, that's weird. Not sure why that's happening.

> CPU usage spikes even if I remove all filters. Just by having bpfconf.bro on, CPU spikes.

What do you mean by "remove all filters"? You're making the bpf.conf file empty?

[Greg Williams]

> What do you mean by "remove all filters"? You're making the bpf.conf file empty?

Yes, It makes no difference if I have rules inside of the bpf.conf file or remove all the rules inside, having the bpfconf.bro script enabled results in the CPU spike.