-
Notifications
You must be signed in to change notification settings - Fork 521
BPF10
Please note! This wiki is no longer maintained. Our documentation has moved to https://securityonion.net/docs/. Please update your bookmarks. You can find the latest version of this page at: https://securityonion.net/docs/BPF10.
As of Security Onion 20120329, we have support for a central bpf.conf that is passed to Snort, Suricata, and daemonlogger.
First, make sure you're running Security Onion 20120329 or higher:
http://securityonion.blogspot.com/2012/03/security-onion-20120329-now-available.html
This update will create a bpf.conf file for each sensor interface on your system. For example, if you have two sensor interfaces (eth0 and eth1), you'll now have two bpf.conf files:
/etc/nsm/$HOSTNAME-eth0/bpf.conf
/etc/nsm/$HOSTNAME-eth1/bpf.conf
The NSM scripts now pass the "-F /etc/nsm/$HOSTNAME-$INTERFACE/bpf.conf" to Snort and Suricata and "-f /etc/nsm/$HOSTNAME-$INTERFACE/bpf.conf" to daemonlogger. However, Suricata's afpacket mode currently doesn't support bpf. I've created Suricata feature request #440 for this:
https://redmine.openinfosecfoundation.org/issues/440
Once you've added your BPF to the proper bpf.conf file(s) for your sensor interface(s), restart the sensor processes using the following command:
sudo nsm_sensor_ps-restart
Since there is one Bro config for ALL interfaces on the machine (as opposed to Snort/Suricata/Daemonlogger where we have one config for each interface), it cannot use the above configuration. The recommended way to configure a BPF for Bro is to add the following to /usr/local/share/bro/site/local.bro:
redef cmd_line_bpf_filter = "whatever your filter is";
Then, push the new configuration and restart Bro:
sudo broctl install
sudo broctl restart
From Phillip Wang:
Just to contribute, and for others to reference, here are some examples of what I've got working
#Nothing from src host to dst port
!(src host xxx.xxx.xxx.xxx && dst port 161) &&
#Nothing from src host to dst host and dst port
!(src host xxx.xxx.xxx.xxx && dst host xxx.xxx.xxx.xxx && dst port 80) &&
#Nothing to or from:
!(host xxx.xxx.xxx.xxx) &&
#Last entry has no final &&
!(host xxx.xxx.xxx.xxx)
From Seth Hall regarding VLAN tags:
(not (host 192.168.53.254 or host 192.168.53.60 or host 192.168.53.69 or host 192.168.53.234)) or (vlan and (not (host 192.168.53.254 or host 192.168.53.60 or host 192.168.53.69 or host 192.168.53.234)))
This amazingly works if you are only using it to restrict the traffic passing through the filter. The basic template is…
<your filter> and (vlan and <your filter>)
Once the "vlan" tag is included in the filter, all subsequent expressions to the right are shifted by four bytes so you need to duplicate the filter on both sides of the vlan keyword. There are edge cases where this will no longer work and probably edge cases where a few undesired packets will make it though, but it should work in the example case that you've given.
Also, I'm assuming that any tools you are running will support vlan tags and no tags simultaneously. Bro 2.0 should work fine at least.
http://taosecurity.blogspot.com/2004/09/understanding-tcpdumps-d-option-have.html
http://taosecurity.blogspot.com/2004/12/understanding-tcpdumps-d-option-part-2.html
http://taosecurity.blogspot.com/2008/12/bpf-for-ip-or-vlan-traffic.html
- Introduction
- Use Cases
- Hardware Requirements
- Release Notes
- Download/Install
- Booting Issues
- After Installation
- UTC and Time Zones
- Services
- VirtualBox Walkthrough
- VMWare Walkthrough
- Videos
- Architecture
- Cheat Sheet
- Conference
- Elastic Stack
- Elastic Architecture
- Elasticsearch
- Logstash
- Kibana
- ElastAlert
- Curator
- FreqServer
- DomainStats
- Docker
- Redis
- Data Fields
- Beats
- Pre-Releases
- ELSA to Elastic
- Network Configuration
- Proxy Configuration
- Firewall/Hardening
- Email Configuration
- Integrating with other systems
- Changing IP Addresses
- NTP
- Managing Alerts
- Managing Rules
- Adding Local Rules
- Disabling Processes
- Filtering with BPF
- Adjusting PF_RING for traffic
- MySQL Tuning
- Adding a new disk
- High Performance Tuning
- Trimming PCAPs