[Zeek] No packets captured by Zeek under OpenBSD

Jon Siwek jsiwek at corelight.com
Mon Mar 9 20:25:28 PDT 2020


A cluster seems to be working for me on OpenBSD after the following
couple tricks:

* echo "redef Broker::disable_ssl=T;" >>
/usr/local/zeek/share/zeek/site/local.zeek
* ZEEK_DEFAULT_LISTEN_ADDRESS=127.0.0.1 zeekctl deploy

The first one is because SSL between Zeek processes isn't currently
working on OpenBSD (likely due to use some particularity of libressl
usage instead of openssl).

The second one may be a bug, or just general configuration issue with
Zeek processes trying to listen/connect to each other over IPv6 on
OpenBSD.  You can verify what it's trying to listen on via `netstat
-lp tcp` (should find things around 47761+ using "tcp" rather than
"tcp6").

Generally, OpenBSD is not an officially supported platform: doesn't
receive as much testing as others and so more prone to bugs/breakages,
but patches that make things work better on OpenBSD are welcome.

- Jon

On Sun, Mar 8, 2020 at 4:57 AM Carlos Lopez <clopmz at outlook.com> wrote:
>
> This problem only appears when Zeek is configured as a cluster and  using a distrusted installation or configuring several network interfaces like for example:
>
>
>
> [manager]
>
> type=manager
>
> host=127.0.0.1
>
>
>
> [logger]
>
> type=logger
>
> host=127.0.0.1
>
>
>
> [proxy]
>
> type=proxy
>
> host=127.0.0.1
>
>
>
> [worker-1]
>
> type=worker
>
> host=127.0.0.1
>
> interface=vio2
>
>
>
> [worker-2]
>
> type=worker
>
> host=127.0.0.1
>
> interface=vio3
>
>
>
> When Zeek is configured in standalone mode everything works correctly.
>
>
>
> Among the hosts I'm testing, network communications are working perfectly between them  and PF is disabled. Maybe is it a bug? I am using Zeek 3.0.3-dev.3 under OpenBSD 6.6 (fully patched).
>
>
>
> --
>
> Regards,
>
> C. L. Martinez
>
>
>
> From: <zeek-bounces at zeek.org> on behalf of Carlos Lopez <clopmz at outlook.com>
> Date: Saturday, 7 March 2020 at 23:00
> To: "zeek at zeek.org" <zeek at zeek.org>
> Subject: [Zeek] No packets captured by Zeek under OpenBSD
>
>
>
> Hi all,
>
>
>
> I just installed Zeek 3.0.3-dev.3 under two OpenBSD 6.6 amd64 vms (one as worker and another as a manager). All seems to work ok but no packet is captured by Zeek worker. In logs directory, there are only the following files:
>
>
>
> total 100
>
> drwxr-xr-x  2 root  wheel    512 Mar  7 21:50 ./
>
> drwxr-xr-x  7 root  wheel    512 Mar  7 21:50 ../
>
> -rw-r--r--  1 root  wheel    137 Mar  7 21:42 .cmdline
>
> -rw-r--r--  1 root  wheel    350 Mar  7 21:42 .env_vars
>
> -rw-r--r--  1 root  wheel      6 Mar  7 21:42 .pid
>
> -rw-r--r--  1 root  wheel     58 Mar  7 21:42 .startup
>
> -rwx------  1 root  wheel     18 Mar  7 21:42 .status*
>
> -rw-r--r--  1 root  wheel    401 Mar  7 21:43 cluster.log
>
> -rw-r--r--  1 root  wheel  30276 Mar  7 21:43 loaded_scripts.log
>
> -rw-r--r--  1 root  wheel    856 Mar  7 21:53 stats.log
>
> -rw-r--r--  1 root  wheel      0 Mar  7 21:42 stderr.log
>
> -rw-r--r--  1 root  wheel    140 Mar  7 21:43 stdout.log
>
>
>
> No one shows any error. Same for the spool directory … Running tcpdump in worker node works without problem and I can see all the traffic …
>
>
>
> Any idea?
>
>
>
> --
>
> Regards,
>
> C. L. Martinez
>
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek



More information about the Zeek mailing list