[Oisf-users] Avoid inspecting intra lan traffic with BPF filter expression
Chris Boley
ilgtech75 at gmail.com
Thu Jun 30 17:44:08 UTC 2016
So would we change it to:
??
not ((ip and src net 10.250.104.0/25 and src net 10.250.104.192/28) and (ip
and dst net 10.250.104.192/28 and dst net 10.250.104.0/25))
or
(not ((vlan and src net 10.250.104.0/25 and src net 10.250.104.192/28)
and (vlan and dst net 10.250.104.192/28 and dst net 10.250.104.0/25)))
Like that?
Thanks in advance.
On Thu, Jun 30, 2016 at 1:36 PM, Chris Boley <ilgtech75 at gmail.com> wrote:
> Awesome, thank you. I'll try it out.
>
> On Thu, Jun 30, 2016 at 1:22 PM, Cooper F. Nelson <cnelson at ucsd.edu>
> wrote:
>
>> See this article on monitoring VLAN tagged traffic:
>>
>> > http://taosecurity.blogspot.com/2008/12/bpf-for-ip-or-vlan-traffic.html
>>
>> This is how you want to structure your bpf filters, assuming you have
>> three internal networks:
>>
>> not ((src net1 or net2 or net3) and (dst net1 or net2 or net3))
>>
>> What you are doing is still going pass traffic from the dst net to the
>> src net.
>>
>> -Coop
>>
>> On 6/30/2016 8:31 AM, Chris Boley wrote:
>> > Please bear in mind all traffic is VLAN tagged. I saw mentions on the
>> pevma
>> > blog page of specialized expressions for BPF filtering where VLANs were
>> > concerned. I'm looking for some guidance.
>> >
>> >
>> > I created a 'best guess' filter syntax and I'm sure it's very wrong.
>> >
>> > I'm asking for someone to help me get going in the right direction on
>> this:
>> >
>> > Thanks in advance!!
>> > My guess at the filter follows:
>> >
>> > not((src net 10.200.104.0/25 and dst net 10.200.104.192/28) or ( src
>> net
>> > 10.200.104.192/28 and dst net 10.200.104.0/25))
>> > or
>> > (not ((vlan and src net 10.200.104.0/25 and dst net
>> 10.200.104.192/28)
>> > or (vlan and src net 10.200.104.192/28 and dst net 10.200.104.0/25)))
>> >
>> > Ideas?
>> >
>>
>>
>> --
>> Cooper Nelson
>> Network Security Analyst
>> UCSD ITS Security Team
>> cnelson at ucsd.edu x41042
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160630/0ab5d2cb/attachment-0002.html>
More information about the Oisf-users
mailing list