Replies: 3 comments 1 reply
-
|
do you see your filter in /opt/zeek/etc/bpf on the sensor container? docker exec -it so-zeek /bin/bash |
Beta Was this translation helpful? Give feedback.
-
|
Yessir. I can see the filter get added when i restart zeek and see the bpf.txt file updated in the container as well. |
Beta Was this translation helpful? Give feedback.
-
|
Can you provide a tcpdump of traffic? something like |
Beta Was this translation helpful? Give feedback.
-
|
Unfortunately I am unable to do that.I can confirm though that the src host traffic is correctly filtered when run against tcpdump.Sent from my iPhoneOn Sep 18, 2024, at 20:13, Jorge Reyes ***@***.***> wrote:
Can you provide a tcpdump of traffic?
something like not (src host 10.10.10.10 and dst port 22) should work to filter traffic coming from 10.10.10.10 and going to any ip on port 22
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
Version
2.4.90
Installation Method
Security Onion ISO image
Description
configuration
Installation Type
Distributed
Location
on-prem with Internet access
Hardware Specs
Exceeds minimum requirements
CPU
4
RAM
32
Storage for /
500 gb
Storage for /nsm
8tb
Network Traffic Collection
span port
Network Traffic Speeds
Less than 1Gbps
Status
Yes, all services on all nodes are running OK
Salt Status
Yes, there are salt failures (please provide detail below)
Logs
No, there are no additional clues
Detail
Security Onion 2.4.9
BPF filter is not working for Zeek at all.
I have confirmed syntax is correct and tested it against tcpdump for further testing.
Zeek will show the rule being added, but doesnt filter on the rule.
Example not (src host ip and dst port 22)
i still see all sorts of traffic for this specific ip/port combo.
Guidelines
Beta Was this translation helpful? Give feedback.
All reactions