[Zeek] Help,About Packet Filter
my
manyiant at 163.com
Sun Mar 1 22:33:13 PST 2020
Hi,
I tested the config you provided, but it didn't work. I read the source code and used the following config for traffic filtering. It's not perfect.
Iredef packet_filter_default = F;
event zeek_init()
{
install_src_addr_filter($ip=123.2.15.75, $tcp_flags=63, $prob=1.0);
install_src_addr_filter($ip=123.2.15.75, $tcp_flags=1, $prob=1.0);
install_src_addr_filter($ip=123.2.15.75, $tcp_flags=2, $prob=1.0);
install_src_addr_filter($ip=123.2.15.75, $tcp_flags=4, $prob=1.0);
...
}
At 2020-01-24 00:15:22, "Justin Azoff" <justin at corelight.com> wrote:
Is your traffic encapsulated with vlan tags? Does changing the filter to
vlan and host 123.2.15.75
work any better?
On Tue, Jan 21, 2020 at 9:44 PM my <manyiant at 163.com> wrote:
Hi,friends:
I use restrict_filters to filter the traffic. but the settings did not take effect, all of the traffic was filtered. What should I do?
My script is as follows:
redef restrict_filters += {
["unmonitored host"] = "host 123.2.15.75"
};
I am looking forwoard to your replay. Thakns.
_______________________________________________
Zeek mailing list
zeek at zeek.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
--
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200302/8d51761c/attachment.html
More information about the Zeek
mailing list