Zeek provides the packet-filter framework to allow filtering out network packets by BPF expressions.
There are quite a few examples online, for example 1 and 2, to demonstrate the capability. However, most examples show only ipv4 addresses.
What happen if tries to filter ipv6 addresses?
To figure it out, I did some tests and found that the frame is also able to filter ipv6 addresses.
Test Setup
Use traffic generator to generate mixed network traffic as:
- http
- v4 (src): 10.1.1.0/24, 10.1.2.0/24
- v6 (src): 10:1:1::0/112, 10:1:2::0/112
- dns
- v4 (src): 10.1.3.0/24
- v6 (src): 10:1:3::0/112
Try to use BPF expressions to filter out both v4 10.1.2.0/24
and v6 10:1:2::0/112
addresses. After tests, I found there are two methods to fullfill the same purpose.
Method 1
By redefine the restict_filters as:
@load base/frameworks/packet-filter
redef restrict_filters += [["ignore-traffic"] = "not (ip6 net 10:1:2::/48 or net 10.1.2.0/24)"];
Since we only need to distinguish 10:1:1:: and 10:1:2::, 48 bits will do.
Method 2
By calling the exclude function in the zeek_init
event:
@load base/frameworks/packet-filter
event zeek_init()
{
PacketFilter::exclude("ignore traffic", "ip6 net 10:1:2::/48 or net 10.1.2.0/24");
}
In this case, no need to use the not
prefix.
Both methods can filter out the targeted traffic without affecting rest network packets, which can be analyzed and logged correctly.
conn
, http
and dns
logs are generated with source addresses of 10.1.1.0/24
, 10:1:1::0/112
, 10.1.3.0/24
, 10:1:3::0/112
.