[Zeek] No packets captured by Zeek under OpenBSD
Jon Siwek
jsiwek at corelight.com
Mon Mar 9 20:25:28 PDT 2020
A cluster seems to be working for me on OpenBSD after the following
couple tricks:
* echo "redef Broker::disable_ssl=T;" >>
/usr/local/zeek/share/zeek/site/local.zeek
* ZEEK_DEFAULT_LISTEN_ADDRESS=127.0.0.1 zeekctl deploy
The first one is because SSL between Zeek processes isn't currently
working on OpenBSD (likely due to use some particularity of libressl
usage instead of openssl).
The second one may be a bug, or just general configuration issue with
Zeek processes trying to listen/connect to each other over IPv6 on
OpenBSD. You can verify what it's trying to listen on via `netstat
-lp tcp` (should find things around 47761+ using "tcp" rather than
"tcp6").
Generally, OpenBSD is not an officially supported platform: doesn't
receive as much testing as others and so more prone to bugs/breakages,
but patches that make things work better on OpenBSD are welcome.
- Jon
On Sun, Mar 8, 2020 at 4:57 AM Carlos Lopez <clopmz at outlook.com> wrote:
>
> This problem only appears when Zeek is configured as a cluster and using a distrusted installation or configuring several network interfaces like for example:
>
>
>
> [manager]
>
> type=manager
>
> host=127.0.0.1
>
>
>
> [logger]
>
> type=logger
>
> host=127.0.0.1
>
>
>
> [proxy]
>
> type=proxy
>
> host=127.0.0.1
>
>
>
> [worker-1]
>
> type=worker
>
> host=127.0.0.1
>
> interface=vio2
>
>
>
> [worker-2]
>
> type=worker
>
> host=127.0.0.1
>
> interface=vio3
>
>
>
> When Zeek is configured in standalone mode everything works correctly.
>
>
>
> Among the hosts I'm testing, network communications are working perfectly between them and PF is disabled. Maybe is it a bug? I am using Zeek 3.0.3-dev.3 under OpenBSD 6.6 (fully patched).
>
>
>
> --
>
> Regards,
>
> C. L. Martinez
>
>
>
> From: <zeek-bounces at zeek.org> on behalf of Carlos Lopez <clopmz at outlook.com>
> Date: Saturday, 7 March 2020 at 23:00
> To: "zeek at zeek.org" <zeek at zeek.org>
> Subject: [Zeek] No packets captured by Zeek under OpenBSD
>
>
>
> Hi all,
>
>
>
> I just installed Zeek 3.0.3-dev.3 under two OpenBSD 6.6 amd64 vms (one as worker and another as a manager). All seems to work ok but no packet is captured by Zeek worker. In logs directory, there are only the following files:
>
>
>
> total 100
>
> drwxr-xr-x 2 root wheel 512 Mar 7 21:50 ./
>
> drwxr-xr-x 7 root wheel 512 Mar 7 21:50 ../
>
> -rw-r--r-- 1 root wheel 137 Mar 7 21:42 .cmdline
>
> -rw-r--r-- 1 root wheel 350 Mar 7 21:42 .env_vars
>
> -rw-r--r-- 1 root wheel 6 Mar 7 21:42 .pid
>
> -rw-r--r-- 1 root wheel 58 Mar 7 21:42 .startup
>
> -rwx------ 1 root wheel 18 Mar 7 21:42 .status*
>
> -rw-r--r-- 1 root wheel 401 Mar 7 21:43 cluster.log
>
> -rw-r--r-- 1 root wheel 30276 Mar 7 21:43 loaded_scripts.log
>
> -rw-r--r-- 1 root wheel 856 Mar 7 21:53 stats.log
>
> -rw-r--r-- 1 root wheel 0 Mar 7 21:42 stderr.log
>
> -rw-r--r-- 1 root wheel 140 Mar 7 21:43 stdout.log
>
>
>
> No one shows any error. Same for the spool directory … Running tcpdump in worker node works without problem and I can see all the traffic …
>
>
>
> Any idea?
>
>
>
> --
>
> Regards,
>
> C. L. Martinez
>
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
More information about the Zeek
mailing list