Re: [security-onion] BPF stops working?

[Heine Lysemose]

Hi

In SecurityOnion 12.04 bpf.conf is the master to all filtering if you haven't broken the sym-links. Make sure you editing the right one.

Can you paste the line from your bpf.conf, reacting any sensitive information.

Thanks,
Lysemose

On Apr 12, 2013 10:11 PM, "Ross Warren" <ro...@woodhome.com> wrote:

Hello,

I know that when Splunk complains about licence usage it is that my bpf.conf is not filtering packets.

After a few bro restarts and nsm restarts it eventually will get back to filtering packets.

Is there somewhere I can look to figure out why bpf stops working.

If tail /nsm/bro/logs/current/syslog.log I can watch IPs go by that are in my bpf.conf.

I might have "stale" bro processes:

Here I am being "mean" to bro:

> pgrep -lf bro | wc -l
33
>sudo broctl stop
>pgrep -lf bro | wc -l
20
>sudo killall bro
>pgrep -lf bro | wc -l
5
>sudo broctl install
>sudo broctl start
>pgrep -lf bro | wc -l
18

and I am still getting entries in syslog.log that shouldnt be there.

How can I verify bpf is not working?


Thanks,
Ross Warren


--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
For more options, visit https://groups.google.com/groups/opt_out.

[Ross Warren]

All the symlinks are still there.

/etc/nsm/anteater-eth0$ sudo ls -las bpf*

0 lrwxrwxrwx 1 root root    8 Jan 29 22:11 bpf-bro.conf -> bpf.conf

0 lrwxrwxrwx 1 root root   23 Jan 29 22:11 bpf.conf -> /etc/nsm/rules/bpf.conf

0 lrwxrwxrwx 1 root root    8 Jan 29 22:11 bpf-ids.conf -> bpf.conf

0 lrwxrwxrwx 1 root root    8 Jan 29 22:11 bpf-pcap.conf -> bpf.conf

8 -rw-r--r-- 1 root root 6160 Apr 12 21:00 bpf-pcap.ops

0 lrwxrwxrwx 1 root root    8 Jan 29 22:11 bpf-prads.conf -> bpf.conf

Here is the first line in /etc/nsm/rules/bpf.conf (that should be stoping syslog)

# Remove all syslog

!(port 514) &&

and the last line

# NVIDIA.com Downloads

!(net 216.228.124.0/24)

Thanks,

Ross Warren

-- Ross Warren

[Doug Burks]

Hi Ross,

Do the other processes appear to be respecting the BPF?

I'd recommend seeing if you can figure out why you're getting stale Bro processes. I wonder if its possible that Bro's 5-minute cron check is getting confused and restarting Bro without reading the BPF.   Have you tried looking in /nsm/bro/logs/current/ for any clues about Bro restarting and/or loading the BPF?

Finally, if you're mainly concerned about the syslog traffic impacting your Splunk license, have you considered just not forwarding syslog.log to Splunk?

Thanks,

Doug

Doug Burks
http://securityonion.blogspot.com

[Ross Warren]

Doug,

Back looking at this again.

I disabled bro/syslog in splunk :) didnt think of that... but it was a DUH moment.

currently my bpf filters are not working. I can tell by looking at 

the tail of my /nsm/bro/logs/current/syslog.log.  IP addresses that are in the BPF are not being filtered.

If I restart bro a few times bpf will start working again.. I have not restarted bro today to *fix* it, hoping we can find why it is broken.

Thoughts?

Thanks,

Ross Warren

-- Ross Warren

[Seth Hall]

On Apr 22, 2013, at 11:28 AM, Ross Warren <ro...@woodhome.com> wrote:

> If I restart bro a few times bpf will start working again.. I have not restarted bro today to *fix* it, hoping we can find why it is broken.

Check your packet_filter.log. Whenever Bro sets the packet filter it will write a line to that log. If your filter fails compilation, it will give you a message in the notice.log with the 'note' field set to: BPFConf:: InvalidFilter

Bro will also update BPF filters for you at runtime immediately after you save Bro's bpf.conf (i think it's named bpf-bro.conf by default).

.Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/

[Castle, Shane]

Hmm - my packet_filter.log file (did "broctl restart" so I'd get a fresh copy - been running too long and none in the archives) just has the headers:

#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path packet_filter
#open 2013-04-22-19-00-51
#fields ts node filter init success
#types time string string bool bool

But, if I run "broctl print restrict_filters" I get:

manager restrict_filters = {
[BPF-1] = not host ( 192.168.13.70 or 192.168.13.95 or 192.168.13.96 ) and not ( tcp portrange 8400-8500 or tcp portrange 8600-8620 )
}
proxy-1 restrict_filters = {
[BPF-1] = not host ( 192.168.13.70 or 192.168.13.95 or 192.168.13.96 ) and not ( tcp portrange 8400-8500 or tcp portrange 8600-8620 )
}
nsm-eth1 restrict_filters = {
[BPF-1] = not host ( 192.168.13.70 or 192.168.13.95 or 192.168.13.96 ) and not ( tcp portrange 8400-8500 or tcp portrange 8600-8620 )
}
nsm-eth2 restrict_filters = {
[BPF-1] = not host ( 192.168.13.70 or 192.168.13.95 or 192.168.13.96 ) and not ( tcp portrange 8400-8500 or tcp portrange 8600-8620 )
}

So what's the line I should have seen in packet_filter.log? BTW the Bro version is 2.1+ (new git package acquired a couple weeks ago).

--
Shane Castle
Data Security Mgr, Boulder County IT

[Ross Warren]

Interesting:

I dont have a packet_filter.log

and print filters is empty and notice.log doesnt contain that text.

 sudo broctl print restrict_filters

   manager   restrict_filters = {

}

     proxy   restrict_filters = {

}

anteater-eth0-1   restrict_filters = {

}

anteater-eth0-2   restrict_filters = {

}

anteater-eth0-3   restrict_filters = {

}

anteater-eth0-4   restrict_filters = {

}

Going to restart bro

-rossw

-- Ross Warren

[Ross Warren]

Restarting bro and nsm a few times.. I now have packet_filter.log

but nothing in restrict_filters and bpf seems to be applied now...

Strange, not sure why it dies.

-rossw

-- Ross Warren

[Michal Purzynski]

On 4/22/13 9:47 PM, Ross Warren wrote:
> Restarting bro and nsm a few times.. I now have packet_filter.log
>
> but nothing in restrict_filters and bpf seems to be applied now...
>
> Strange, not sure why it dies.
>
> -rossw
>
> -- Ross Warren
>
>

Actualy, I have exactly the same problem, running BRO with security onion.

[Seth Hall]

On May 1, 2013, at 9:33 AM, Ross Warren <ro...@woodhome.com> wrote:

> But /nsm/bro/logs/current/packet_filter.log shows my current bpf.conf lines
> and /nsm/bro/logs/notice.log does not have any "InvalidFilter" lines.


It should be working fine. The packet_filter log should be showing what is actually in use.

For the bpf.conf support in Bro I'm not using the capture_filters or restrict_filters variables so it being empty makes sense. :)