[Oisf-users] Avoid inspecting intra lan traffic with BPF filter expression
Cooper F. Nelson
cnelson at ucsd.edu
Thu Jun 30 17:50:23 UTC 2016
Just a FYI, we strip out vlan tags on our tap so I've never had to work
with them. So I don't know the syntax.
You want to 'or' the src and dst networks within the expression:
not (src net1 or net2)
and (dst net1 or net2)
*Always* run a sanity check and verify stuff like this with unit test.
I.e., monitor the interface with that bpf expression in place and make
sure you are seeing/filtering the right stuff.
-Coop
On 6/30/2016 10:44 AM, Chris Boley wrote:
> So would we change it to:
>
> ??
>
>
> not ((ip and src net 10.250.104.0/25 and src net 10.250.104.192/28) and (ip
> and dst net 10.250.104.192/28 and dst net 10.250.104.0/25))
>
> or
>
> (not ((vlan and src net 10.250.104.0/25 and src net 10.250.104.192/28)
> and (vlan and dst net 10.250.104.192/28 and dst net 10.250.104.0/25)))
>
>
> Like that?
>
>
> Thanks in advance.
>
>
>
>
>
>
> On Thu, Jun 30, 2016 at 1:36 PM, Chris Boley <ilgtech75 at gmail.com> wrote:
>
>> Awesome, thank you. I'll try it out.
>>
>> On Thu, Jun 30, 2016 at 1:22 PM, Cooper F. Nelson <cnelson at ucsd.edu>
>> wrote:
>>
>>> See this article on monitoring VLAN tagged traffic:
>>>
>>>> http://taosecurity.blogspot.com/2008/12/bpf-for-ip-or-vlan-traffic.html
>>>
>>> This is how you want to structure your bpf filters, assuming you have
>>> three internal networks:
>>>
>>> not ((src net1 or net2 or net3) and (dst net1 or net2 or net3))
>>>
>>> What you are doing is still going pass traffic from the dst net to the
>>> src net.
>>>
>>> -Coop
>>>
>>> On 6/30/2016 8:31 AM, Chris Boley wrote:
>>>> Please bear in mind all traffic is VLAN tagged. I saw mentions on the
>>> pevma
>>>> blog page of specialized expressions for BPF filtering where VLANs were
>>>> concerned. I'm looking for some guidance.
>>>>
>>>>
>>>> I created a 'best guess' filter syntax and I'm sure it's very wrong.
>>>>
>>>> I'm asking for someone to help me get going in the right direction on
>>> this:
>>>>
>>>> Thanks in advance!!
>>>> My guess at the filter follows:
>>>>
>>>> not((src net 10.200.104.0/25 and dst net 10.200.104.192/28) or ( src
>>> net
>>>> 10.200.104.192/28 and dst net 10.200.104.0/25))
>>>> or
>>>> (not ((vlan and src net 10.200.104.0/25 and dst net
>>> 10.200.104.192/28)
>>>> or (vlan and src net 10.200.104.192/28 and dst net 10.200.104.0/25)))
>>>>
>>>> Ideas?
>>>>
>>>
>>>
>>> --
>>> Cooper Nelson
>>> Network Security Analyst
>>> UCSD ITS Security Team
>>> cnelson at ucsd.edu x41042
>>>
>>>
>>
>
--
Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160630/0ef9ccb0/attachment-0002.sig>
More information about the Oisf-users
mailing list