[Oisf-users] Avoid inspecting intra lan traffic with BPF filter expression
Cooper F. Nelson
cnelson at ucsd.edu
Thu Jun 30 17:22:36 UTC 2016
See this article on monitoring VLAN tagged traffic:
> http://taosecurity.blogspot.com/2008/12/bpf-for-ip-or-vlan-traffic.html
This is how you want to structure your bpf filters, assuming you have
three internal networks:
not ((src net1 or net2 or net3) and (dst net1 or net2 or net3))
What you are doing is still going pass traffic from the dst net to the
src net.
-Coop
On 6/30/2016 8:31 AM, Chris Boley wrote:
> Please bear in mind all traffic is VLAN tagged. I saw mentions on the pevma
> blog page of specialized expressions for BPF filtering where VLANs were
> concerned. I'm looking for some guidance.
>
>
> I created a 'best guess' filter syntax and I'm sure it's very wrong.
>
> I'm asking for someone to help me get going in the right direction on this:
>
> Thanks in advance!!
> My guess at the filter follows:
>
> not((src net 10.200.104.0/25 and dst net 10.200.104.192/28) or ( src net
> 10.200.104.192/28 and dst net 10.200.104.0/25))
> or
> (not ((vlan and src net 10.200.104.0/25 and dst net 10.200.104.192/28)
> or (vlan and src net 10.200.104.192/28 and dst net 10.200.104.0/25)))
>
> Ideas?
>
--
Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160630/3340f1ff/attachment-0002.sig>
More information about the Oisf-users
mailing list