comotion
commented
11 years ago doesn't the bpfilter= conf param do the trick?
Closed dougburks closed 11 years ago
comotion
commented
11 years ago doesn't the bpfilter= conf param do the trick?
dougburks
commented
11 years ago Are you referring to the bpfilter parameter in prads.conf?
In our Security Onion distro, we have a single central bpf.conf that multiple processes read (Snort/Suricata, daemonlogger, Bro). The use case is that the user just has one place to modify the bpf for their sensor and they don't have to go digging through a bunch of individual config files.
Snort/Suricata, daemonlogger, and Bro all support reading a BPF from an external bpf.conf. Some examples: snort -F /etc/nsm/rules/bpf.conf daemonlogger -f /etc/nsm/rules/bpf.conf
It would be a nice enhancement for PRADS to be able to do likewise: prads -B /etc/nsm/rules/bpf.conf
Thanks for your consideration!
gamelinux
commented
11 years ago doug, I know the usecase :) And Im totally for it. Will look into it.
comotion
commented
11 years ago I've added bpf_file= to the config file. -B param is the new ringbuffer output, and we are running out of short options. We should brobably add getopt_long_only() at some point. @dougburks: is using the conf file fine for your usecase or do you require this to be an argument?
dougburks
commented
11 years ago I think bpf_file= in the config file should be fine, thanks!
Will this handle a bpf.conf with comments? For example:
# Ignore traffic from vulnerability scanner
!(src host xxx.xxx.xxx.xxx) &&
# Ignore traffic from backup server
!(src host yyy.yyy.yyy.yyy)didn't think of comments till you mentioned it. here they are. passes my not-so-complex checks, maybe it passes yours as well?
I see that PRADS has a -b option for passing a BPF on the command line, but I don't see an option for a passing a BPF in a file (like bpf.conf). I'm currently emulating this by reading bpf.conf, stripping any comments, and loading into the -b option. It would be nice just to be able to say "-B bpf.conf".
Thanks!