Changing the Interfaces on Which Zeek Listens

September 17, 2021
F
Changing the Interfaces on Which Zeek Listens

We include a tool that asks “What interface would you like to listen on” inside the docker container. While it runs automatically on first boot, it’s by no means obvious how to rerun it to listen on multiple interfaces.

First, get a list of the interfaces on which you wish to listen with “ifconfig -a”. You will generally ignore interfaces whose names start with “docker”, “lo”, “br”, and “veth”; the likely ones usually start with “eth” or “en”. Look at the values next to “RX packets” and “TX packets” (or “RX bytes” and “TX bytes”); interfaces connected to a span/tap/mirror/copy port will almost always have very high values next to “RX”, and little or no traffic next to “TX”. Jot down the interface name(s) as you’ll want to check this/these interfaces when you run zeekcfg next.

As a side note, interfaces through which you route normal traffic (such as your default route interface seen with ” route -n | grep ‘^0\.0\.0\.0’ “) are very unlikely to be connected to a sniffer port on your switch.

You’ll need to run the following command on your Zeek sensor. While it may be wrapped here, the command needs to be on a single line with spaces replacing linefeeds .

docker run --rm -it --network host --mount source=/opt/zeek/etc/node.cfg,destination=/node.cfg,type=bind "activecm/zeek:latest" zeekcfg -o /node.cfg --type afpacket --processes 0 --no-pin

If it’s easier to enter it as 4 separate lines, the following block is the same command as the above; just don’t put any characters after the backslashes on the first 3 lines.

docker run --rm -it --network host \
--mount source=/opt/zeek/etc/node.cfg,destination=/node.cfg,type=bind \
"activecm/zeek:latest" \
zeekcfg -o /node.cfg --type afpacket --processes 0 --no-pin

This program will ask which interface(s) you want to sniff on; select each one connected to a mirror port. Finally, we recommend restarting the system to make sure that Zeek uses the new configuration file.

 

Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=3914

Category: Network Sensor Management
Tags: