[Zeek] Error with filters

Jorge Garcia Rodriguez jgarciar at sia.es
Mon Apr 6 02:20:27 PDT 2020


Hi!

Zeek doesn´t return an error at the start. It just not filtering.

If I run de command “zeekctl print restrict_filters” I get this output for every workers:

Zeek-1-W-1-1   restrict_filters = {
        [hosts] =  not host 172.22.96.200
}

But the log “packet_filter.log” is not being recorded. However in the machines that the filter works correctly, this log is being recorded.

Thank you for your reply.

Regards.


Jorge García Rodríguez
Technical Consultant
Security Infrastructures
jgarciar at sia.es<mailto:jgarciar at sia.es>
Grupo SIA
Avda.Europa,2 - Alcor Plaza, Edificio B - Parque Oeste Alcorcón
28922 Alcorcón - Madrid
Tlf: +34 902 480 580<nxphone:+34%20902%20480%20580>   Fax: +34 91 307 79 80<nxphone:+34%2091%20307%2079%2080>
www.siainternational.com<http://www.siainternational.com/>
delivering value
This e-mail and any attached files are intended solely for the addresse/s identified herein. It may contain confidential and/or legally privileged information and may not necessarily represent the opinion of SIA.
No legally binding commitments will be created by this E-mail message. Where we intend to create legally binding commitments these will be made through hard copy correspondence or documents. If you receive this message by mistake, please immediately notify the sender and delete it since you are not authorized to use, disclose, distribute, print or copy all or part of the contained information Thank you. It is understood that the message was sent to you accidentally, although you appear as the addressee, you can see from the frame of existing relations that you were not the final addressee.


De: Tim Wojtulewicz [mailto:tim at corelight.com]
Enviado el: sábado, 4 de abril de 2020 1:38
Para: Jorge Garcia Rodriguez
CC: zeek at zeek.org
Asunto: Re: [Zeek] Error with filters

Is zeek returning an error or is it just not filtering? Is the filter listed correctly in packet_filter.log? I tested the same filter redef here with a test file and it appeared to be working.

Tim


On Apr 3, 2020, at 3:57 AM, Jorge Garcia Rodriguez <jgarciar at sia.es<mailto:jgarciar at sia.es>> wrote:

Hi guys.

We have recently updated the versión of our Zeeks to the last stable 3.1.1 from 3.0.1

My problem is that in the previous version we had a filter that worked perfectly and now in the new version it doesn’t work anymore.

The filter is in the end of the local.zeek file and is the next one:

redef restrict_filters += { ["hosts"] = " not host 172.22.96.200" };

I don’t know if it is a bug or we have to write the filter differently but it doesn’t work in the new version.

Thank you,

Regards.



Jorge García Rodríguez
Technical Consultant
Security Infrastructures
jgarciar at sia.es<mailto:jgarciar at sia.es>
Grupo SIA
Avda.Europa,2 - Alcor Plaza, Edificio B - Parque Oeste Alcorcón
28922 Alcorcón - Madrid
Tlf: +34 902 480 580<nxphone:+34%20902%20480%20580>   Fax: +34 91 307 79 80<nxphone:+34%2091%20307%2079%2080>
www.siainternational.com<http://www.siainternational.com/>
delivering value
This e-mail and any attached files are intended solely for the addresse/s identified herein. It may contain confidential and/or legally privileged information and may not necessarily represent the opinion of SIA.
No legally binding commitments will be created by this E-mail message. Where we intend to create legally binding commitments these will be made through hard copy correspondence or documents. If you receive this message by mistake, please immediately notify the sender and delete it since you are not authorized to use, disclose, distribute, print or copy all or part of the contained information Thank you. It is understood that the message was sent to you accidentally, although you appear as the addressee, you can see from the frame of existing relations that you were not the final addressee.


_______________________________________________
Zeek mailing list
zeek at zeek.org<mailto:zeek at zeek.org>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek<http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200406/b3ce1a69/attachment-0001.html 


More information about the Zeek mailing list