Zeek-af_packet-plugin and VLAN tags #9365
Replies: 1 comment 2 replies
-
|
Have you enabled the vlan-logging script (already included in Zeek) as shown at https://docs.securityonion.net/en/2.3/zeek.html#custom-scripts? |
Beta Was this translation helpful? Give feedback.
2 replies
-
|
Will the new field get automaticly indexed or do uou need to add custom parsing? |
Beta Was this translation helpful? Give feedback.
-
|
If you want the new field to be indexed, then you would need to add custom parsing. |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Setup: Security Onion Version: 2.3.190 (ISO'd)
Installation: Distributed Architecture, Isolated. ManagerSearch Node w/several Heavy's. So-status - green.
Noticed Zeek updated to 5.0.2 and an updated zeek-af_packet-plugin 3.2.0 with what appears to be successful VLAN tagging capability referenced in https://github.com/zeek/zeek-af_packet-plugin
Readme shows "VLAN tagging is now supported. Even using AF_Packet's ETH_P_ALL, the kernel removes VLAN tags from packets." ...."Applying knowledge about the internal data structures used by Zeek, the plugin now forwards VLAN tag control information to Zeek. Both IEEE 802.1Q and IEEE 802.1ad (QinQ) will be handled as expected." (curious if this would help mitigate: zeek/zeek-af_packet-plugin#9)
Noticed latest version of Security Onion 2.3.190 updated to Zeek 5.0.2 and has references to the zeek-af_packet-plugin 3.2.0 script/update under several locations:
-/nsm/zeek/spool/installed-scripts-do-not-touch/site/packages/zeek-af_packet-plugin
-/nsm/zeek/spool/installed-scripts-do-not-touch/site/zeek-af_packet-plugin
-/var/lib/docker/overlay2/8955/diff/opt/zeek/lib64/zeek/plugins/packages/zeek-af_packet-plugin
-/var/lib/docker/overlay2/8955/diff/opt/zeek/share/zeek/site/packages/zeek-af_packet-plugin
-/var/lib/docker/overlay2/8955/diff/opt/zeek/share/zeek/site/zeek-af_packet-plugin
-/var/lib/docker/overlay2/8955/diff/opt/zeek/var/lib/zkg/clones/package/zeek-af_packet-plugin
-/var/lib/docker/overlay2/7a25/diff/opt/zeek/lib64/zeek/plugins/packages/zeek-af_packet-plugin
I've replayed Wireshark tracefiles containing VLAN Tags ID using sneaker-net copy of tcpreplay in our AirGapped setup. However, I'm not seeing the VLAN tags w/in the byproduct Zeeks conn.log file after replaying the pcap.
Curious if I misconfigured something preventing me from seeing the VLAN tags in the Zeek log (e.g. conn.log) or is capturing VLAN Tags via Zeek still a work in progress?
Much appreciated.
Beta Was this translation helpful? Give feedback.
All reactions