[Zeek] First attempt to upgrade to 3: Multiple interfaces
Don Thomas
don.thomas.cissp at gmail.com
Wed Mar 4 16:08:53 PST 2020
Please bring back the multiple interface option. I have two Gigamon's
(each has a 10 G interface ) Feeding Zeek on our IDS.
Or else Zeek is a No Go for me as well.
Yes... I need the multiple interface option !
Thank you,
*Don Thomas, CISSP, CISA*
On Tue, Mar 3, 2020 at 11:30 AM Tim Wojtulewicz <tim at corelight.com> wrote:
> If you don’t really need the latest and greatest cutting edge changes to
> 3.1, version 3.0.x still supports multiple interfaces. That feature was
> removed in 3.1 due to the wide changes to the IO Loop architecture, and
> you’re honestly the first user I’ve heard from that has noticed it missing.
> It was removed to make that work easier to accomplish, but we can certainly
> investigate bringing it back if there’s enough of a use case for it.
>
> Tim
>
> > On Mar 3, 2020, at 12:03 PM, James Lay <jlay at slave-tothe-box.net> wrote:
> >
> > Welp...out of luck so far:
> >
> > /opt/zeek/bin/zeek -C -i eth0 -i eth1 --filter '<redacted>' local
> > "Site::local_nets += { 192.168.1.0/24 }"
> >
> > gets me:
> >
> > ERROR: Only a single interface option (-i) is allowed.
> >
> > I didn't have this issue with 2. Any reason why only one interface is
> > allowed now? Unless something radical has changed with the resources
> > that zeekctl uses I have no desire to use it. I'm dead in the water
> > with Zeek as of now. Thank you.
> >
> > James
> > _______________________________________________
> > Zeek mailing list
> > zeek at zeek.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
>
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200304/d11dd862/attachment.html
More information about the Zeek
mailing list