Re: [security-onion] Full Packet capture Filtering with BPF?
812 views
Skip to first unread message
se...@remor.com
Dec 17, 2012, 9:46:58 AM12/17/12
to securit...@googlegroups.com
On Dec 17, 2012, at 9:36 AM, coriumintl <be...@coriumintl.com> wrote:
> in the /etc/nsm/SENSORNAME-ethX/bpf.conf file I have:
>
> !(host 192.168.3.33) &&
> !(host 192.168.3.38) &&
> !(host 192.168.3.17) &&
> !(host 192.168.3.39)
I haven't checked in a while to see if it's loaded by default, but I wrote a script that makes Bro support bpf.conf for SecurityOnion so hopefully your task of filtering out those hosts should be easier.
Doug, Scott, is my bpfconf.bro script loaded by default now?
.Seth
Castle, Shane
Dec 17, 2012, 10:10:11 AM12/17/12
to securit...@googlegroups.com
In my BPF I have the entire expression enclosed in parentheses, and I use the property that "not x and not y" equals "not (x or y)":
( not host ( 192.168.13.70 or 192.168.13.95 or 192.168.13.96 )
and not ( tcp portrange 8400-8500 or tcp portrange 8600-8620 )
)
Aside from the parentheses and the use of the symbols for "not" and "and" I don't see what might be wrong, unless the IP addresses you think are associated with the backups are not, or there are additional ones. I don't quite understand what the difference, if any, might be between "!(host 192.168.3.33)" and "! host 192.168.3.33". The use of the parens here makes me uneasy, as it looks to me that they are unnecessary and obfuscating. They might even be changing the meaning: is the "&&" being applied to "host 192.168.3.33" or to its negation?
You could try just firing up a tcpdump using the filter and seeing if it is working as you expect, or perhaps use a pcap as input for testing the filter.
--
Shane Castle
Data Security Mgr, Boulder County IT
-----Original Message-----
From: securit...@googlegroups.com [mailto:securit...@googlegroups.com] On Behalf Of coriumintl
Sent: Monday, December 17, 2012 07:36
To: securit...@googlegroups.com
Subject: [security-onion] Full Packet capture Filtering with BPF?
I'm using SO 20120518, I thought I had BPF configured to filter out my backup servers. However it doesn't seem to be filtering as expected because my back log of captures were removed due to space being consumed from the backup activites that occur on Sundays. The 4 ip's below are my backup servers.
in the /etc/nsm/SENSORNAME-ethX/bpf.conf file I have:
!(host 192.168.3.33) &&
!(host 192.168.3.38) &&
!(host 192.168.3.17) &&
!(host 192.168.3.39)
in the /usr/local/share/bro/site/local.bro file I have:
redef PacketFilter::all_packets=F;
redef capture_filters = { ["all-packets"] = "ip or not ip" };
redef restrict_filters = { ["host1"] = "not host 192.168.3.17",
["host2"] = "not host 192.168.3.33",
["host4"] = "not host 192.168.3.38",
["host5"] = "not host 192.168.3.39" };
Is there an error in my logic that I'm not seeing?
Thanks guys!
--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To post to this group, send email to securit...@googlegroups.com.
To unsubscribe from this group, send email to security-onio...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
( not host ( 192.168.13.70 or 192.168.13.95 or 192.168.13.96 )
and not ( tcp portrange 8400-8500 or tcp portrange 8600-8620 )
)
Aside from the parentheses and the use of the symbols for "not" and "and" I don't see what might be wrong, unless the IP addresses you think are associated with the backups are not, or there are additional ones. I don't quite understand what the difference, if any, might be between "!(host 192.168.3.33)" and "! host 192.168.3.33". The use of the parens here makes me uneasy, as it looks to me that they are unnecessary and obfuscating. They might even be changing the meaning: is the "&&" being applied to "host 192.168.3.33" or to its negation?
You could try just firing up a tcpdump using the filter and seeing if it is working as you expect, or perhaps use a pcap as input for testing the filter.
--
Shane Castle
Data Security Mgr, Boulder County IT
-----Original Message-----
From: securit...@googlegroups.com [mailto:securit...@googlegroups.com] On Behalf Of coriumintl
Sent: Monday, December 17, 2012 07:36
To: securit...@googlegroups.com
Subject: [security-onion] Full Packet capture Filtering with BPF?
I'm using SO 20120518, I thought I had BPF configured to filter out my backup servers. However it doesn't seem to be filtering as expected because my back log of captures were removed due to space being consumed from the backup activites that occur on Sundays. The 4 ip's below are my backup servers.
in the /etc/nsm/SENSORNAME-ethX/bpf.conf file I have:
!(host 192.168.3.33) &&
!(host 192.168.3.38) &&
!(host 192.168.3.17) &&
!(host 192.168.3.39)
redef PacketFilter::all_packets=F;
redef capture_filters = { ["all-packets"] = "ip or not ip" };
redef restrict_filters = { ["host1"] = "not host 192.168.3.17",
["host2"] = "not host 192.168.3.33",
["host4"] = "not host 192.168.3.38",
["host5"] = "not host 192.168.3.39" };
Is there an error in my logic that I'm not seeing?
Thanks guys!
--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To post to this group, send email to securit...@googlegroups.com.
To unsubscribe from this group, send email to security-onio...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
Doug Burks
Dec 17, 2012, 10:43:00 AM12/17/12
to securit...@googlegroups.com
Hi Seth,
bpfconf.bro is in the new Security Onion 12.04, but it's not in the
old SO 20120518 that coriumintl is using.
Thanks,
Doug
Doug Burks
http://securityonion.blogspot.com
bpfconf.bro is in the new Security Onion 12.04, but it's not in the
old SO 20120518 that coriumintl is using.
Thanks,
Doug
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To post to this group, send email to securit...@googlegroups.com.
> To unsubscribe from this group, send email to security-onio...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
>
>
--
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To post to this group, send email to securit...@googlegroups.com.
> To unsubscribe from this group, send email to security-onio...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
>
>
Doug Burks
http://securityonion.blogspot.com
Castle, Shane
Dec 18, 2012, 10:35:27 AM12/18/12
to securit...@googlegroups.com
Those are the port ranges that our backup software uses.
I didn't include any Bro filtering comments because your msg indicated that it was the pcaps that were using up your disk space, and that means std BPF syntax would work.
--
Shane Castle
Data Security Mgr, Boulder County IT
-----Original Message-----
From: securit...@googlegroups.com [mailto:securit...@googlegroups.com] On Behalf Of coriumintl
Sent: Tuesday, December 18, 2012 08:28
To: securit...@googlegroups.com
Subject: Re: [security-onion] Full Packet capture Filtering with BPF?
I tried to re-factor my logic to match yours and bro terminates right after restarting.
What are those TCP port ranges you have included?
I didn't include any Bro filtering comments because your msg indicated that it was the pcaps that were using up your disk space, and that means std BPF syntax would work.
--
Shane Castle
Data Security Mgr, Boulder County IT
-----Original Message-----
From: securit...@googlegroups.com [mailto:securit...@googlegroups.com] On Behalf Of coriumintl
To: securit...@googlegroups.com
Subject: Re: [security-onion] Full Packet capture Filtering with BPF?
I tried to re-factor my logic to match yours and bro terminates right after restarting.
What are those TCP port ranges you have included?
Castle, Shane
Dec 18, 2012, 12:26:35 PM12/18/12
to securit...@googlegroups.com
Additional note: after some rereading of and head-scratching about the Bro BPF emails (MARC is your friend) I added this to my Bro setup (last lines in local.bro):
redef PacketFilter::all_packets=F;
redef capture_filters += { ["all-packets"] = "ip or not ip" };
redef restrict_filters = { ["BPF-1"] = "not host ( 192.168.13.70 or 192.168.13.95 or 192.168.13.96 ) and not ( tcp portrange 8400-8500 or tcp portrange 8600-8620 )" };
After the usual wash/rinse/spin with broctl I have now stopped the backup traffic from being viewed by Bro. Sadly, it hasn't improved my capture_loss stats any. I'm hoping that the new SO and PF_RING will help with that.
redef PacketFilter::all_packets=F;
redef capture_filters += { ["all-packets"] = "ip or not ip" };
redef restrict_filters = { ["BPF-1"] = "not host ( 192.168.13.70 or 192.168.13.95 or 192.168.13.96 ) and not ( tcp portrange 8400-8500 or tcp portrange 8600-8620 )" };
After the usual wash/rinse/spin with broctl I have now stopped the backup traffic from being viewed by Bro. Sadly, it hasn't improved my capture_loss stats any. I'm hoping that the new SO and PF_RING will help with that.
Reply all
Reply to author
Forward
0 new messages