BPF Best Practices for Large Exclusions #13688
-
We are having an issue with all BPF filtering ever since upgrading past 2.4.70. Since moving to .80+ the filters no longer work. I have tried with "AND" and "OR" inside the first case and reviewed the documentation, none of the attempts work. What is the best method to do large exclusions? Our clients use Tenable, so naturally i want to exclude the public ip ranges and internal scanners. Here is how I have them listed below. Type: Distributed (not (net 34.201.223.128/25 AND net 44.192.244.0/24 AND net 44.206.3.0/24 AND net 54.175.125.192/26 AND net 13.59.252.0/25 AND net 18.116.198.0/24 AND net 3.132.217.0/25 AND net 13.56.21.128/25 AND net 34.223.64.0/25 AND net 35.82.51.128/25 AND net 35.86.126.0/24 AND net 35.93.174.0/24 AND net 44.242.181.128/25 AND net 162.159.129.83/32 AND net 162.159.130.83/32 AND net 162.159.140.26/32 AND net 172.66.0.26/32)) && |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 5 replies
-
I think there is an issue with your BPF you have multiple AND conditions included in the NOT condition. The BPF can't match all those networks, I think you need OR in place of AND
|
Beta Was this translation helpful? Give feedback.
I broke them out like the others and it resolved the errors. Will test now and update