Yes, another BPF question #9766
Replies: 2 comments 1 reply
-
|
I've managed to somewhat make it work. It was the combination of the vlan filter that is throwing me off. for now i have just
Does this not filter out packets that are VLAN tagged? For now I've moved onto my steno filter.. -'not((((tcp[((tcp[12] & 0xf0) >> 2)] = 0x14) || (tcp[((tcp[12] & 0xf0) >> 2)] = 0x15) || (tcp[((tcp[12] & 0xf0) >> 2)] = 0x16) || (tcp[((tcp[12] & 0xf0) >> 2)] = 0x17)) && (tcp[((tcp[12] & 0xf0) >> 2)+1] = 0x03)) || (((tcp[((tcp[12] & 0xf0) >> 2)] < 0x14) || (tcp[((tcp[12] & 0xf0) >> 2)] > 0x18)) && (tcp[((tcp[12] & 0xf0) >> 2)+3] = 0x00) && (tcp[((tcp[12] & 0xf0) >> 2)+4] < 0x08)) || (port 1433 and tcp[((tcp[12] & 0xf0) >> 2) + 8] = 0x16))'
I get the rendering SLS 'global' failed error... |
Beta Was this translation helpful? Give feedback.
-
|
Would you be able to look in the minion log when you get that error? |
Beta Was this translation helpful? Give feedback.
-
|
I was able to get it working..
This appeared to fix the problem. As for the Steno bpf.. That was user error. I forgot I had applied a filter directly to the test sensor's sls file and didn't clear it when i was trying to attach the filters to the global.sls. The sensor's sls was overwriting the global. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Alright, I've tried troubleshooting everything before resorting to yet another BPF question on here but I just can't seem to get these rules to work together. They both work fine separately.
zeek:
bpf:
I've tried quotations, &&, ||, ive tried ! instead of "not"
Since trying these at the same time I either get "rendering global sls failed" or it takes the filters but I still see zeek logs for the traffic i'm trying to filter out.
Any ideas?
Beta Was this translation helpful? Give feedback.
All reactions