Help with Bro Filters

I’m looking for documentation / guides on how to work with bro and BPF filters. Suricata was fairly easy to work on a bpf.conf file and drop traffic from known high traffic sources and clean things up. But Bro seems to be a very different animal. I have a functional Packet filter plugin I created but format wise its being a royal pain. I can do a string of filters in line. But It seems to only work if all the filters are on the same line. Is there a way to break this up and put filter chunks on one line each with a #comment tag between them to keep track of what they are for? Something like this below? TIA!

#example
redef PacketFilter::default_capture_filter = “(ip or not ip) and not (src host x.x.x.x)”
#comment
redef PacketFilter::default_capture_filter += “and not (src host x.x.x.x)”
#comment
redef PacketFilter::default_capture_filter += “and not (src host x.x.x.x)”

Are you looking to spread this across multiple files or just wanted to be able to wrap for formatting. What you’re doing should work, but you need to ensure you leave a space between each string that you’re concatenating. As it stands now, the next and will occur immediately after the preceding ).

You could also build a vector of strings and concat them together like so:

global my_filter_list: vector of string = {
	"(ip or not ip)",
	"not (host 192.168.1.102)",
	"not (host fe80::219:e3ff:fee7:5d23)",
	"not (udp port 5353)",
	};

redef PacketFilter::default_capture_filter = join_string_vec(my_filter_list, " and ");

event bro_init() 
	{ 
	print( PacketFilter::default_capture_filter );
	}

I tested this out at http://try.bro.org using Bro 2.6.3. http://try.bro.org/#/trybro/saved/360416

Final note, since the capture filter is a const, it must be defined when you start Bro. You cannot change this particular value without restarting. There are other approaches if you needed to dynamically change the capture filter, but this is the simplest way to do this statically.

Oh, regarding your approach

I forgot, you can’t concatenate strings like that in Bro. You could do this


#example
redef PacketFilter::default_capture_filter = cat(
	"(ip or not ip)",
	" and not (host 192.168.1.102)",
	" and not (host fe80::219:e3ff:fee7:5d23)");


event bro_init() 
	{ 
	print( PacketFilter::default_capture_filter );
	}

or you could do it this way too:


#example
redef PacketFilter::default_capture_filter = cat(
PacketFilter::default_capture_filter,
	" and not (host 192.168.1.102)");

redef PacketFilter::default_capture_filter = cat(
	PacketFilter::default_capture_filter,
	" and not (host fe80::219:e3ff:fee7:5d23)");


event bro_init() 
	{ 
	print( PacketFilter::default_capture_filter );
	}

A key thing is make sure you have semicolons at the end of each line.

Primarily I was looking for how to clean up the format so it wasn’t an extremely long line that just kept getting longer. The Cat example looks fantastic I’ll give that a shot!

Thanks for all the help especially the http://try.bro.org link!