[Zeek] Interface Removed From Config but Keeps Monitoring Traffic

Justin Azoff justin at corelight.com
Wed Apr 10 16:31:50 PDT 2019


On Wed, Apr 10, 2019 at 10:22 AM Kevin Ross <kevross33 at googlemail.com> wrote:
>
> Hi,
>
> I configured an afpacket interface in addition to one I was already using and it monitored fine but I want to stop monitoring this link for now and just leave it to Suricata at the moment.
>
> I have removed the configuration for it and redeployed, cleaned and everything else I can thing of and many config installs and when started while only the works configured on the original interface show in running jobs I am still getting traffic events from the other interface (I know this because of the IPs being monitored).

Ah, you needed to stop those extra workers before removing them from
the configuration.  I thought we added something to warn people when
they did that, but that may only detect if you reduce lb_procs and not
remove an interface entirely.

> Is there anything I can check or clean up to try and force bro to completely "forget" it ever knew about this interface? Thanks.

the easiest thing to do would be to do

    broctl stop
    broctl ps.bro

that should show any remaining orphaned bro processes.  Kill those,
then start things back up and you should be good to go.

--
Justin



More information about the Zeek mailing list