BPF filter partially work

[yasser aloraini]

hi,

i've been trying to solve this issue .

when i add my line in /etc/nsm/rules bpf.conf  it will only work if i exclude an IP without specifying port

!(host 10.1.1.11)    <-- work fine

!(host 10.1.1.11 && dst port 53)   <-- will not match  

!(src host 10.1.1.11 && dst port 53) <-- also will not work 

i tried  different  ways always  will work if it's only IP and it wont work if it's combined with port

i also check  syntax in tcpdump it's fine 

p.s i check the resulte using kibana dashboard

[Steven J]

3 thoughts on this.

1. Rather than putting this directly into /etc/nsm/rules/bpf.conf, you should put this into one of the symlinked files instead, such as /etc/nsm/<interface>/bpf-ids.conf

2. Presuming you have other entries in your filter network, they should all end in && except the last item.  e.g.
!(host 10.1.1.11)&&
!(dst host 10.1.1.12 && src port 53)&& 
!(src host 10.1.1.13 && dst port 22)

3. On the chance you are copy/pasting from a windows device, End of Line formatting must use the Unix/Posix format.  Mac and Linux use only Line Feed to signify eol, Windows uses CR/LF, which adds extra whitespace to the end of the line.  If you are editing this directly in Nono, Vi, or another Linux editor you should be fine.  If you need to include windows in the mix, something like notepadd++ has an option to choose which eol format you wish to use.

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/95dbad97-933f-4a5a-8076-a20ae3e3ee8f%40googlegroups.com.

[yasser aloraini]

thank you for your reply 

i checked the symlinked path /etc/nsm/<interface>/bpf-ids.conf  as expected it already  contain  the line i want to add 

!(host 10.1.1.11 && dst port 53)

but still it won't  work , the only  way it will work if we exclude the IP without conditions like : !(host 10.1.1.11)

To unsubscribe from this group and stop receiving emails from it, send an email to securit...@googlegroups.com.

[Wes Lambert]

Could you give an example of a record you still see after applying the filter?

Are you sure you are not seeing a response back from 53 (src port) to that host? 

Thanks,

Wes

To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/59c1ed84-2930-433d-84d8-dbed2f2da7fc%40googlegroups.com.

--

https://twitter.com/therealwlambert

https://securityonion.net/

[yasser aloraini]

hi,

as you can see in the  attachment  (  Dashboard/Bro-DNS ) i'm still seeing 10.1.1.11  as  source  with dst port 53  even though i apply !(src host 10.1.1.11 && dst port 53) in bpf filter.

To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/59c1ed84-2930-433d-84d8-dbed2f2da7fc%40googlegroups.com.

[Wes Lambert]

You may want to ensure all IDS services are stopped (and are not still running after stopping, holding on to old config).

Thanks,

Wes

To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/1710b2b5-d388-4fb0-b06a-e45800614910%40googlegroups.com.