[Zeek] Interface Removed From Config but Keeps Monitoring Traffic
Justin Azoff
justin at corelight.com
Wed Apr 10 16:31:50 PDT 2019
On Wed, Apr 10, 2019 at 10:22 AM Kevin Ross <kevross33 at googlemail.com> wrote:
>
> Hi,
>
> I configured an afpacket interface in addition to one I was already using and it monitored fine but I want to stop monitoring this link for now and just leave it to Suricata at the moment.
>
> I have removed the configuration for it and redeployed, cleaned and everything else I can thing of and many config installs and when started while only the works configured on the original interface show in running jobs I am still getting traffic events from the other interface (I know this because of the IPs being monitored).
Ah, you needed to stop those extra workers before removing them from
the configuration. I thought we added something to warn people when
they did that, but that may only detect if you reduce lb_procs and not
remove an interface entirely.
> Is there anything I can check or clean up to try and force bro to completely "forget" it ever knew about this interface? Thanks.
the easiest thing to do would be to do
broctl stop
broctl ps.bro
that should show any remaining orphaned bro processes. Kill those,
then start things back up and you should be good to go.
--
Justin
More information about the Zeek
mailing list