Why are my BPF's ignored?

[w4rc0n]

For some reason, there are multiple IP's I have explicitly set to ignore via BPF in the configs that are still alerting on nids, and being pcap'd, and imported into zeek. the .71 address below for example:

edit: I am using the global.sls option for all nodes.

[weslambert]

Have you followed all of the instructions here?
https://docs.securityonion.net/en/latest/bpf.html?highlight=bpf#global-bpf

[weslambert]

You might need some ()s so that the and dsts aren't considered as inclusive filters.

[w4rc0n]

That was it, thank you @weslambert

[thegreekman]

@w4rc0n If you do not mind, what is the syntax of your last bpf filter with the src and dst? I can't seem to get mine to work properly.

[w4rc0n]

they look like

- (not host 192.168.34.2 and port 333)

[thegreekman]

Thanks, and what about the one with src and dst in it?

Im trying to do something like this:

• not (src host 192.xx.xx.xx and not dst host 192.xx.xx.xx)

[w4rc0n]

You could try something like: - "!(src host 192.xx.xx.xx and not dst host 192.xx.xx.xx)"

…

On Mon, Aug 30, 2021 at 4:58 PM thegreekman ***@***.***> wrote: Thanks, and what about the one with src and dst in it? Im trying to do something like this: - not (src host 192.xx.xx.xx and not dst host 192.xx.xx.xx) — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#5082 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ALWD7TDDLX5KINI52W2HZ43T7QEIFANCNFSM5BUW2UYQ> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

[thegreekman]

When I input that, traffic is still coming from the source and destination IP I entered. Do you know why this happening?

[petiepooo]

Let's break that filter string down. Inside the parentheses, you're looking for traffic with a specific src IP but not to the destination IP. Then you're negating everything outside the parentheses. So then you should see everything except that specific scenario. Note that that includes traffic between the two IPs, which is what you appear not to want.

If you want to exclude traffic going from A to B, you'll want to first positively identify the traffic to exclude by endpoint IPs, then exclude it by wrapping in parens and negating it with 'not' (or '!'). If you want to also exclude the return traffic (from destination to source), drop the src and dst qualifiers and just use host.

Also, if you're never expecting VLAN tagging, I suggest specifying 'ip' on all your filters; without that, it will check for a vlan tag, then branch to two different checks based on whether it sees the tag or not. Hint: use the -d option for tcpdump to test your expressions and see the difference.

Assuming your true intent is to drop ALL traffic between those two hosts, I think the filter you're looking for is

! ( ip host 1.1.1.24 && host 1.1.1.208 )

And don't forget to add the ending 'and' (or '&&') to all except the final entry.

[thegreekman]

I changed the condition to ! (ip host 192.168.1.1 && host 192.168.1.40), but unfortunately the traffic is still coming through. My true intent is to drop all traffic between the two hosts like your final statement said.

[w4rc0n]

Is that your only BPF rule in place? If not, can we see what you have?

…

On Mon, Aug 30, 2021 at 11:15 PM thegreekman ***@***.***> wrote: When I input that, traffic is still coming from the source and destination IP I entered. Do you know why this happening? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#5082 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ALWD7TGTNKV2ZCHB6E74KTLT7RQOVANCNFSM5BUW2UYQ> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

[thegreekman]

Yeah you are right, i had the wrong condition set. I changed it to ! (ip host 192.168.1 && host 192.168.1.45). I want to block all traffic that originates from .1 and ends at .45. Unfortunately, even with this, it still shows traffic between these 2 addresses

[w4rc0n]

Do you know if the traffic you're analyzing is VLAN tagged?

[thegreekman]

It is not vlan tagged

[petiepooo]

Some suggestions:

• Standardize on 'not' instead of '!' and 'and' instead of '&&' just to help eliminate parsing issues with special characters (other than parentheses).
• build a full bpf with all line contents concatenated, eg: 'not port 53 and not port 80 and not port 443 and not ( ip host 192.168.1.1 and host 192.168.1.45 )' and feed that to tcpdump -d to see if it parses and compiles like you expected.
• Make a trivial change (like reordering two of the port expressions), then run 'sudo salt-call state.highstate' and review the output for errors (you should see your change being picked up).

[petiepooo]

another small optimization: specify 'not tcp port 80' (also for 443) otherwise it checks both tcp and udp. DNS can fallback to tcp, though, so you may want to leave port 53 as is.