Problems with BPF + VLAN Tags

269 views
Skip to first unread message

Matt May

unread,
Jun 19, 2017, 4:56:43 PM6/19/17
to security-onion
I want to use BPFs for tuning out traffic on my SO cluster, but I have a problem. I want to ignore all SSH traffic. Assume all traffic being monitored has VLAN tags. I am trying to use the following filter, but this causes all traffic to be filtered instead of just that using tcp dst port 22. I assume it's ignoring the port 22 logic and simply ignoring all vlan tagged traffic.

(vlan and (tcp dst port 22))

After "sudo service nsm restart" the only logs Bro generates are the following:

capture_loss.log
communication.log
stats.log
stderr.log
stdout.log

I'm trying only to ignore ssh.log.

Thanks for the help!
Matt May

KennyWap

unread,
Jun 19, 2017, 5:16:55 PM6/19/17
to security-onion
Per the Security Onion Wiki it doesn't seem that you'll need to use a special "VLAN" statement in your BPF:

https://github.com/Security-Onion-Solutions/security-onion/wiki/VLAN-Traffic

try something like this: !(tcp port 22)

or: !(tcp dst port 22)

reference: http://biot.com/capstats/bpf.html

Matt May

unread,
Jun 20, 2017, 12:44:58 PM6/20/17
to security-onion
On Monday, June 19, 2017 at 5:16:55 PM UTC-4, KennyWap wrote:
> Per the Security Onion Wiki it doesn't seem that you'll need to use a special "VLAN" statement in your BPF:
>
> https://github.com/Security-Onion-Solutions/security-onion/wiki/VLAN-Traffic
>
> try something like this: !(tcp port 22)
>
> or: !(tcp dst port 22)
>
>
> I tried both with and without the vlan statement, neither worked. Moreover, I tried tweaking the snaplen variable in /etc/nsm/sensorname-interface/snort.conf to 1514, 1518, and 1524 with no luck. Does the snaplen variable affect how bro reads the packets, or just Snort? Any other ideas?
>
>
> reference: http://biot.com/capstats/bpf.html

Doug Burks

unread,
Jun 21, 2017, 10:10:44 PM6/21/17
to securit...@googlegroups.com
Hi Matt,

That VLAN-traffic page doesn't really have anything to do with BPF
specifically. The main point of that page is that if you're running
older software you may need to do some manual configuration to handle
VLAN traffic properly. If you're running the latest version of
Security Onion with all updates applied, you shouldn't have to tweak
snaplen.

Have you seen the VLAN section of the BPF page?
https://github.com/Security-Onion-Solutions/security-onion/wiki/BPF#vlan



--
Doug Burks

Matt May

unread,
Jun 22, 2017, 10:55:22 AM6/22/17
to security-onion

Hey Doug,

Thanks for response.. I got it working by simply putting !(port 22) but if I understand correctly that means I am ignoring all TCP and UDP traffic from source and destination port 22. I want to be more explicit by using !(tcp dst port 22) but it doesn't seem to like that. I got the syntax from http://biot.com/capstats/bpf.html.

Thanks,
Matt May

Matt May

unread,
Jun 22, 2017, 11:23:42 AM6/22/17
to security-onion

*** Update ***

I got it working with !(port ssh), !(tcp port ssh), and !(tcp port 22). I also got it working with the following statement !(tcp src port 22) && !(tcp dst port 22), but this doesn't make sense because SSH client ports change..

Matt May

unread,
Jun 23, 2017, 3:44:22 PM6/23/17
to security-onion

I guess you need both sides of it because it sees port 22 as the src port for the server when it replies. Thanks for the help guys.

Reply all
Reply to author
Forward
0 new messages