Zeek file extraction issue #11616

rohan0017 · 2023-10-25T04:52:24Z

rohan0017
Oct 25, 2023

In my security onion distributed deployment, the zeek module is not capturing any files. Any help is appreciated. The files are not going into the /nsm/zeek/extracted/complete folder.

robbiemarshall · 2023-10-25T14:27:10Z

robbiemarshall
Oct 25, 2023

Are you running Strelka? If so, it may be moving the extracted files out of the /nsm/zeek/extracted/complete folder to /nsm/strelka/processed/, so you can check that folder to see if the files are there.

10 replies

rohan0017 Oct 26, 2023
Author

I tried using http, then also zeek is not capturing the files.

dougburks Oct 27, 2023
Maintainer

Is Zeek logging metadata about the file transfer in its http.log, file.log, and conn.log?

Is there any packet loss? If so, Zeek will not extract files.

rohan0017 Oct 28, 2023
Author

No, there is no packet loss this is my packet_loss.log content=> {"ts":1698469291.631522,"ts_delta":45309.525259017944,"peer":"zeek","gaps":0,"acks":0,"perce nt_lost":0.0}

rohan0017 Oct 30, 2023
Author

And there are no http.log and file.log log files in logs directory.

dougburks Oct 30, 2023
Maintainer

Double-check the configuration of your tap or span port and the wiring that connects it to your sniffing interface. Then use tcpdump to verify that you see the HTTP traffic arriving at the sniffing interface.

rohan0017 · 2023-12-26T05:57:47Z

rohan0017
Dec 26, 2023
Author

How can I test whether the zeek is extracting the files or not(from traffic)?

7 replies

dougburks Dec 28, 2023
Maintainer

Does the Zeek http.log show that it saw your connection to testmynids.org?

rohan0017 Dec 29, 2023
Author

I am able to see only these logs:
/nsm/zeek/spool/logger# ls
broker.log capture_loss.log conn.log dhcp.log dns.log ecat_arp_info.log enip.log notice.log stats.log stderr.log stdout.log

http.log is missing

rohan0017 Dec 29, 2023
Author

And in stderr.log zeek is logging the following errors:

/opt/zeek/share/zeekctl/scripts/run-zeek: line 61: ulimit: core file size: cannot modify limit: Operation not permitted
send-mail: /usr/sbin/sendmail not found
send-mail: /usr/sbin/sendmail not found
send-mail: /usr/sbin/sendmail not found
send-mail: /usr/sbin/sendmail not found

dougburks Dec 29, 2023
Maintainer

It seems like your sensor may only be seeing broadcast traffic so there may still be a problem with your span configuration.

rohan0017 Jan 1, 2024
Author

Ok I will check.

Zeek file extraction issue #11616

Uh oh!

Uh oh!

rohan0017 Oct 25, 2023

Replies: 2 comments · 17 replies

Uh oh!

robbiemarshall Oct 25, 2023

Uh oh!

Uh oh!

rohan0017 Oct 26, 2023 Author

Uh oh!

dougburks Oct 27, 2023 Maintainer

Uh oh!

rohan0017 Oct 28, 2023 Author

Uh oh!

rohan0017 Oct 30, 2023 Author

Uh oh!

dougburks Oct 30, 2023 Maintainer

Uh oh!

rohan0017 Dec 26, 2023 Author

Uh oh!

dougburks Dec 28, 2023 Maintainer

Uh oh!

Uh oh!

rohan0017 Dec 29, 2023 Author

Uh oh!

rohan0017 Dec 29, 2023 Author

Uh oh!

dougburks Dec 29, 2023 Maintainer

Uh oh!

rohan0017 Jan 1, 2024 Author

rohan0017
Oct 25, 2023

Replies: 2 comments 17 replies

robbiemarshall
Oct 25, 2023

rohan0017 Oct 26, 2023
Author

dougburks Oct 27, 2023
Maintainer

rohan0017 Oct 28, 2023
Author

rohan0017 Oct 30, 2023
Author

dougburks Oct 30, 2023
Maintainer

rohan0017
Dec 26, 2023
Author

dougburks Dec 28, 2023
Maintainer

rohan0017 Dec 29, 2023
Author

rohan0017 Dec 29, 2023
Author

dougburks Dec 29, 2023
Maintainer

rohan0017 Jan 1, 2024
Author