By default, Zeek is configured to capture all the network traffic, both IP and Non-IP traffic. But if you have worked as a Network/SysAdmin Engineer you will have detected protocols that are very chatty with no adding value from a security perspective. Another case is significant flows of traffic that originated from backups. Hence that traffic may overwhelm your Zeek Sensor without giving you any insight.
To restrict this traffic, you can add BPF filters in your local configuration file and drop the traffic before reaching your Zeek workers. Yes, there is the option to drop this traffic more efficiently from your packet broker or your advanced network card, but sometimes this is not the case.
So, if you want to exclude specific traffic reaching your Zeek Sensors, you can add BPF filters (https://docs.zeek.org/en/master/scripts/base/init-bare.zeek.html#id-restrict_filters) in your local.zeek like this:
redef restrict_filters = {
["stop host 192.168.10.211"] = "not ( src host 192.168.10.211 or dst host 192.168.10.211)",
["stop port 10050"] = "not ( (src host 192.168.10.10 or src host 192.168.10.3) and (dst host 192.168.10.3 or dst host 192.168.10.10) and (dst port 10050 or src port 10050))",
};
When Zeek starts, it will logically AND (&&) each of the restrict filters above and then will logically AND it with the default Zeek capture filter (PacketFilter::default_capture_filter). So each packet has to pass all the filters in order to reach the Zeek workers.
Finally, to debug these and see if actually the restricted filters are applied to Zeek, you can run the below command on runtime.
zeekctl print restrict_filtersYou can also view the whole BPF capturing filter that is applied to Zeek monitor interfaces and detect any logical errors with the command below.
zeekctl print PacketFilter::current_filterAny error in the compilation of BPF filters will stop the initiation of Zeek process. You will be able to see what went wrong via
zeekctl diagBe aware that if you apply BPF Filters with zeekargs through your ZeekCtl configuration, that will overwrite the BPF filters you have specified in your Zeek’s local configuration file.
