[Zeek] Zeek + PF_Ring Issue
Jorge García Rodríguez
JorgeGarcia.1995 at outlook.es
Thu Dec 19 07:55:47 PST 2019
Enviado desde Outlook<http://aka.ms/weboutlook>
________________________________
De: Justin Azoff <justin at corelight.com>
Enviado: jueves, 19 de diciembre de 2019 16:06
Para: Jorge García Rodríguez <JorgeGarcia.1995 at outlook.es>
Cc: zeek at zeek.org <zeek at zeek.org>
Asunto: Re: [Zeek] Zeek + PF_Ring Issue
Thank you for your reply
Also doing a further investigation it seems that the script that is overcharguing the cpu is the weird.zeek ¿Is there a way to disable this script?
Do you say that because you have a lot of entries in the weird log? that points to traffic issues that need to be fixed... disabling the weird logs will just ignore the problem. What are the top weirds that you are seeing?
cat /usr/local/zeek/logs/current/weird.log |zeek-cut name|sort|uniq -c|sort -rn
I have 160167 entries in like 10 minutes.
After 20 mins I have a total of 329572 entries and 245954 of them are bad_HTTP_request
What did you see as the result from this check?
# Checking if many recent connections have a SAD or had history
#################################################################
# Checking if many recent connections have a SAD or had history #
#################################################################
error: 52.91%, 33795 out of 63873 connections are half duplex
Best Regards!
--
Jorge
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191219/32d65aaf/attachment.html
More information about the Zeek
mailing list