BPF10

Please note! We are migrating our documentation to https://securityonion.net/docs/. You can find the latest version of this page at: https://securityonion.net/docs/BPF10.

Configuration

Old Security Onion 10.04

Snort/Suricata/daemonlogger

As of Security Onion 20120329, we have support for a central bpf.conf that is passed to Snort, Suricata, and daemonlogger.

First, make sure you're running Security Onion 20120329 or higher:
http://securityonion.blogspot.com/2012/03/security-onion-20120329-now-available.html

This update will create a bpf.conf file for each sensor interface on your system. For example, if you have two sensor interfaces (eth0 and eth1), you'll now have two bpf.conf files:
/etc/nsm/$HOSTNAME-eth0/bpf.conf
/etc/nsm/$HOSTNAME-eth1/bpf.conf

The NSM scripts now pass the "-F /etc/nsm/$HOSTNAME-$INTERFACE/bpf.conf" to Snort and Suricata and "-f /etc/nsm/$HOSTNAME-$INTERFACE/bpf.conf" to daemonlogger. However, Suricata's afpacket mode currently doesn't support bpf. I've created Suricata feature request #440 for this:
https://redmine.openinfosecfoundation.org/issues/440

Once you've added your BPF to the proper bpf.conf file(s) for your sensor interface(s), restart the sensor processes using the following command:

sudo nsm_sensor_ps-restart

Bro

Since there is one Bro config for ALL interfaces on the machine (as opposed to Snort/Suricata/Daemonlogger where we have one config for each interface), it cannot use the above configuration. The recommended way to configure a BPF for Bro is to add the following to /usr/local/share/bro/site/local.bro:

redef cmd_line_bpf_filter = "whatever your filter is";

Then, push the new configuration and restart Bro:

sudo broctl install

sudo broctl restart

BPF Examples

From Phillip Wang:

Just to contribute, and for others to reference, here are some examples of what I've got working

#Nothing from src host to dst port

!(src host xxx.xxx.xxx.xxx && dst port 161) &&



#Nothing from src host to dst host and dst port

!(src host xxx.xxx.xxx.xxx && dst host xxx.xxx.xxx.xxx && dst port 80) &&



#Nothing to or from:

!(host xxx.xxx.xxx.xxx) &&



#Last entry has no final &&

!(host xxx.xxx.xxx.xxx)

From Seth Hall regarding VLAN tags:

(not (host 192.168.53.254 or host 192.168.53.60 or host 192.168.53.69 or host 192.168.53.234)) or (vlan and (not (host 192.168.53.254 or host 192.168.53.60 or host 192.168.53.69 or host 192.168.53.234)))

This amazingly works if you are only using it to restrict the traffic passing through the filter. The basic template is…

<your filter> and (vlan and <your filter>)

Once the "vlan" tag is included in the filter, all subsequent expressions to the right are shifted by four bytes so you need to duplicate the filter on both sides of the vlan keyword. There are edge cases where this will no longer work and probably edge cases where a few undesired packets will make it though, but it should work in the example case that you've given.

Also, I'm assuming that any tools you are running will support vlan tags and no tags simultaneously. Bro 2.0 should work fine at least.

Troubleshooting BPF using tcpdump

http://taosecurity.blogspot.com/2004/09/understanding-tcpdumps-d-option-have.html

http://taosecurity.blogspot.com/2004/12/understanding-tcpdumps-d-option-part-2.html

http://taosecurity.blogspot.com/2008/12/bpf-for-ip-or-vlan-traffic.html