0

Situation: I have set up a Zeek/Bro IDS and have it listen on one interface (with iptables forwarding traffic.

client1 === iptables === client2
               ||
            zeek_ids

Problem: Zeek is getting triggered by 127.0.0.1/8 traffic and I cannot find any materials to help me ignore those traffic on Google.

Question: Not to limit to just 127.0.0.0/8 traffic, how can I configure Zeek such that it is able to ignore traffic coming from certain subnets?

Additional information 1: I have attempted to add the subnet (127.0.0.0/8) to $ZEEK_PREFIX/etc/networks.cfg and it did nothing

David Hoelzer
  • 15,862
  • 4
  • 48
  • 67
Timothy Wong
  • 689
  • 3
  • 9
  • 28

1 Answers1

1

You have several options, all using BPF filters to exclude specific subnet ranges. You can:

  • invoke Zeek with -f to pass in such a filter,
  • add entries to the capture_filters table in the scripting layer,
  • use the more advanced features of the PacketFilter module.

A possible BPF filter to use in your case would be not net 127.0.0.0/8.

Christian
  • 1,499
  • 2
  • 12
  • 28