[Zeek] Zeek + PF_Ring Issue

Jorge García Rodríguez JorgeGarcia.1995 at outlook.es
Thu Dec 19 07:55:47 PST 2019



Enviado desde Outlook<http://aka.ms/weboutlook>

________________________________
De: Justin Azoff <justin at corelight.com>
Enviado: jueves, 19 de diciembre de 2019 16:06
Para: Jorge García Rodríguez <JorgeGarcia.1995 at outlook.es>
Cc: zeek at zeek.org <zeek at zeek.org>
Asunto: Re: [Zeek] Zeek + PF_Ring Issue

Thank you for your reply


Also doing a further investigation it seems that the script that is overcharguing the cpu is the weird.zeek ¿Is there a way to disable this script?

Do you say that because you have a lot of entries in the weird log?  that points to traffic issues that need to be fixed... disabling the weird logs will just ignore the problem.  What are the top weirds that you are seeing?

    cat /usr/local/zeek/logs/current/weird.log |zeek-cut name|sort|uniq  -c|sort -rn

I have 160167 entries in like 10 minutes.

After 20 mins I have a total of 329572 entries and 245954 of them are bad_HTTP_request

What did you see as the result from this check?

# Checking if many recent connections have a SAD or had history

#################################################################
# Checking if many recent connections have a SAD or had history #
#################################################################
error: 52.91%, 33795 out of 63873 connections are half duplex


Best Regards!

--
Jorge
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191219/32d65aaf/attachment.html 


More information about the Zeek mailing list