Zeek Issue after 2.4.30

[Jsitech]

Version

2.4.30

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

24

RAM

128GB

Storage for /

241GB

Storage for /nsm

5.6TB

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

No, one or more services are failed (please provide detail below)

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

After upgrading from 2.4.20 to 2.4.30 so-zeek container kept restarting itself. Looking into the logs it as mentioning an error at line 24 in communityid.zeek,

event connection_state_remove(c: connection) {
c$conn$community_id = hash_conn(c);
}

Seems something might have change on the configuration portion. Commenting out these lines solves the issue and Zeek starts working normally.

Guidelines

• I have read the above statement and can confirm my post is relevant to Security Onion 2.4.

[defensivedepth]

Do you have any custom zeek modifications or config?

[Jsitech]

No

[TOoSmOotH]

sudo ls -l /opt/so/saltstack/local/salt/zeek/defaults.yaml on the manager.

[Jsitech]

That file is not present on that location.

ls: cannot access '/opt/so/saltstack/local/salt/zeek/defaults.yaml': No such file or directory

[Jsitech]

Also noticed, that commenting the line on the mentioned file communityid.zeek, does not solve the issue completely, the container now restarts every hour but cannot find any logs indicating why it is doing that.

[TOoSmOotH]

you should not be modifying files via the command line. I would try and do a so-saltstack-update to put the files back to the way they are supposed to be then check zeek -> config -> local -> load and make sure the defaults match.