Zeek MHR #10767
-
|
Good day all, Is there a preferred way to disable Sensoroni analyzers? Is removing the source from Thanks! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 3 replies
-
|
Sorry, by "Sensoroni analyzers" you mean the ones available for enrichment in the Cases interface? |
Beta Was this translation helpful? Give feedback.
-
|
Yes and no... I'm finding my v2.3 SO forward nodes are issuing DNS TXT queries for |
Beta Was this translation helpful? Give feedback.
-
|
Looks like that's coming from the detect-MHR.zeek framework, which is enabled by default. Try copying init.sls from /opt/so/saltstack/default/pillar/zeek/ to /opt/so/saltstack/local/pillar/zeek and removing the line that says "frameworks/files/detect-MHR". |
Beta Was this translation helpful? Give feedback.
-
|
@InfosecGoon, that fixed it; thank you! |
Beta Was this translation helpful? Give feedback.
Looks like that's coming from the detect-MHR.zeek framework, which is enabled by default. Try copying init.sls from /opt/so/saltstack/default/pillar/zeek/ to /opt/so/saltstack/local/pillar/zeek and removing the line that says "frameworks/files/detect-MHR".