I have set up a basic home lab with Zeek VM (Ubuntu) with an elastic zeek agent, Win11 victim machine and ParrotOS.
I have set up a simple python server in Win11 VM and created some http traffic from ParrotOS (requesting files, nmap / nikto/zap scanning).
My server was recording all this traffic.
When I try to search for this in Elastic by using for example event.log : zeek.http there is nothing.
If I search by source IP or destination IP I can clearly detect the traffic from and to my python server.
But when I expand in elastic these events I can’t see the zeek.http. Any hints?
Hey @Gnr23 - please share a few entries of the full conn.log (if needed with IPs anonymized). There may be something off with your capture setup and missing_bytes, history, or conn_state may give an indication of that.
Thanks,
Arne
OK - my bad. I had reinstalled the zeek VM but I had forgotten to set the second networkd adapter in promiscuous mode:P Thanks for the reply