2019-12-26 04:15 AM
Hello all,
Could you help? We need to set filtering on packet decoder. In Decoder Configuration on Adapter we set Berkeley Packet Filter. But we don't see the decrease of incoming traffic. Could you help - which filter script should we type for better effect?
now it: not (port 25) or not (port 135) or not (port 42) or not (port 123)
Which port or protocol should we add in this script?
BR.
2019-12-26 09:45 AM
I believe BPF filtering is available in 11.4 but not available prior to 11.4.
2019-12-30 02:39 PM
Support for BPF filtering for 10G capture using pfringz driver will be added in 11.4, I believe. Any other capture not using pfringz driver is currently supported, afaik.
That said, what you might want to filter should be based on the type of traffic that is not interesting or useful for your incident response and security operations. Filtering based solely on volume of traffic would be a fantastic way to blind yourself from suspicious and/or malicious activity.
2019-12-31 11:12 AM
Hi Denis-
I might update your syntax a bit - make it a single not statement instead of the 'or not' that you have configured.
You currently have it as: not (port 25) or not (port 135) or not (port 42) or not (port 123)
I would rewrite this as a single not statement and include all ports: not ((port 25) or (port 135) or (port 42) or (port 123)). My thought is that you have created a not (not) statement, which in effect is doing the opposite of what you are after.
That all being said, I would echo Josh's recommendation - filter out that which is really not interesting or useful to avoid blind spots. Two of the protocols that you have listed (25 and 135) are much harder cases to make as far as filtering is concerned.
2019-12-31 11:39 AM
Hi Denis,
If you are currently using your decoder 10G capture port with pfring driver, then BPF will not work. You may want to try Network Rules as alternative filtering method. Here is the link to that KB: https://community.rsa.com/docs/DOC-47636 . Hope this helps.
2020-01-07 10:48 AM
In regards to BPF implementation, it is available prior to 11.4 minus 10G configurations. In 11.4 the same BPF rules will be supported on the 10G (e.g. pfringz) interface.