Situation: I have set up a Zeek/Bro IDS and have it listen on one interface (with iptables forwarding traffic.
client1 === iptables === client2
||
zeek_ids
Problem: Zeek is getting triggered by 127.0.0.1/8 traffic and I cannot find any materials to help me ignore those traffic on Google.
Question: Not to limit to just 127.0.0.0/8 traffic, how can I configure Zeek such that it is able to ignore traffic coming from certain subnets?
Additional information 1: I have attempted to add the subnet (127.0.0.0/8) to $ZEEK_PREFIX/etc/networks.cfg
and it did nothing
You have several options, all using BPF filters to exclude specific subnet ranges. You can:
-f
to pass in such a filter,capture_filters
table in the scripting layer,PacketFilter
module.A possible BPF filter to use in your case would be
not net 127.0.0.0/8
.