DEVHIDE
Login Or Sign up

How to configure bro to ignore traffic from certain subnets?

885 Views Asked by At

Situation: I have set up a Zeek/Bro IDS and have it listen on one interface (with iptables forwarding traffic.

client1 === iptables === client2
               ||
            zeek_ids

Problem: Zeek is getting triggered by 127.0.0.1/8 traffic and I cannot find any materials to help me ignore those traffic on Google.

Question: Not to limit to just 127.0.0.0/8 traffic, how can I configure Zeek such that it is able to ignore traffic coming from certain subnets?

Additional information 1: I have attempted to add the subnet (127.0.0.0/8) to $ZEEK_PREFIX/etc/networks.cfg and it did nothing

bro zeek
Original Q&A
1

There are 1 best solutions below

0
On

You have several options, all using BPF filters to exclude specific subnet ranges. You can:

  • invoke Zeek with -f to pass in such a filter,
  • add entries to the capture_filters table in the scripting layer,
  • use the more advanced features of the PacketFilter module.

A possible BPF filter to use in your case would be not net 127.0.0.0/8.

Related Questions in BRO

Related Questions in ZEEK

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.