[Oisf-users] Avoid inspecting intra lan traffic with BPF filter expression
Peter Manev
petermanev at gmail.com
Thu Jun 30 18:14:09 UTC 2016
> On 30 Jun 2016, at 19:50, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
>
> Just a FYI, we strip out vlan tags on our tap so I've never had to work
> with them. So I don't know the syntax.
>
> You want to 'or' the src and dst networks within the expression:
>
> not (src net1 or net2)
> and (dst net1 or net2)
>
> *Always* run a sanity check and verify stuff like this with unit test.
> I.e., monitor the interface with that bpf expression in place and make
> sure you are seeing/filtering the right stuff.
>
I agree here.
@Chris - I think the positioning of ip/vlan is correct in your example.
Looking at the filter though we might end up with - "not"
src net 10.250.104.192/28 -> dst net 10.250.104.192/28
(Like src and dst from the same net)
@Cooper - am I reading it right?
> -Coop
>
>> On 6/30/2016 10:44 AM, Chris Boley wrote:
>> So would we change it to:
>>
>> ??
>>
>>
>> not ((ip and src net 10.250.104.0/25 and src net 10.250.104.192/28) and (ip
>> and dst net 10.250.104.192/28 and dst net 10.250.104.0/25))
>>
>> or
>>
>> (not ((vlan and src net 10.250.104.0/25 and src net 10.250.104.192/28)
>> and (vlan and dst net 10.250.104.192/28 and dst net 10.250.104.0/25)))
>>
>>
>> Like that?
>>
>>
>> Thanks in advance.
>>
>>
>>
>>
>>
>>
>>> On Thu, Jun 30, 2016 at 1:36 PM, Chris Boley <ilgtech75 at gmail.com> wrote:
>>>
>>> Awesome, thank you. I'll try it out.
>>>
>>> On Thu, Jun 30, 2016 at 1:22 PM, Cooper F. Nelson <cnelson at ucsd.edu>
>>> wrote:
>>>
>>>> See this article on monitoring VLAN tagged traffic:
>>>>
>>>>> http://taosecurity.blogspot.com/2008/12/bpf-for-ip-or-vlan-traffic.html
>>>>
>>>> This is how you want to structure your bpf filters, assuming you have
>>>> three internal networks:
>>>>
>>>> not ((src net1 or net2 or net3) and (dst net1 or net2 or net3))
>>>>
>>>> What you are doing is still going pass traffic from the dst net to the
>>>> src net.
>>>>
>>>> -Coop
>>>>
>>>>> On 6/30/2016 8:31 AM, Chris Boley wrote:
>>>>> Please bear in mind all traffic is VLAN tagged. I saw mentions on the
>>>> pevma
>>>>> blog page of specialized expressions for BPF filtering where VLANs were
>>>>> concerned. I'm looking for some guidance.
>>>>>
>>>>>
>>>>> I created a 'best guess' filter syntax and I'm sure it's very wrong.
>>>>>
>>>>> I'm asking for someone to help me get going in the right direction on
>>>> this:
>>>>>
>>>>> Thanks in advance!!
>>>>> My guess at the filter follows:
>>>>>
>>>>> not((src net 10.200.104.0/25 and dst net 10.200.104.192/28) or ( src
>>>> net
>>>>> 10.200.104.192/28 and dst net 10.200.104.0/25))
>>>>> or
>>>>> (not ((vlan and src net 10.200.104.0/25 and dst net
>>>> 10.200.104.192/28)
>>>>> or (vlan and src net 10.200.104.192/28 and dst net 10.200.104.0/25)))
>>>>>
>>>>> Ideas?
>>>>
>>>>
>>>> --
>>>> Cooper Nelson
>>>> Network Security Analyst
>>>> UCSD ITS Security Team
>>>> cnelson at ucsd.edu x41042
>
>
> --
> Cooper Nelson
> Network Security Analyst
> UCSD ITS Security Team
> cnelson at ucsd.edu x41042
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net
More information about the Oisf-users
mailing list