BPF options in Bro

How would I go about creating a filter in Bro? For instance, I have syslog data being sent to another host on the network I am monitoring with ROCK which is creating a lot of unnecessary noise.

@kvv5150 there’s a couple of different options, but if you just want Bro to turn a blind eye to it, you can put the following at the end of /usr/share/bro/site/local.bro. ip or not ip is the default Bro capture filter, which captures everything.

redef PacketFilter::default_capture_filter = "(ip or not ip) and not (udp port 514 and dst host 1.2.3.4)"

Where 1.2.3.4 is your syslog server. Remove dst if you want to exclude data also coming from that server using syslog (i.e. you have a tiered syslog architecture).

I’m trying to use this filter on a new 2.4.2 build and bro fails to start with it added to the bottom of the /usr/share/bro/site/local.bro file.

Am I doing something wrong or has something changed?

Found the issue, You must add a ; to the end of the line or it will cause errors from other scripts!

Good catch @kwslavens! Bro/Zeek is very particular about semi-colons. When you make changes to your policy files, I always recommend you do a syntax check using

bro -a local

That will run with the --parse-only flag set, which will complain if there’s a syntax error. Unfortunately, the error messages themselves are not always the most intuitive.