Hello List,
I have a complex Zeek setup where Zeek is listening on a bridged interface which is shared with a lot of other VMs therefore it catches quite a lot of broadcast traffic and others I don't care about.
How can I exclude IPs and ranges from all checks not to have a single log or alert event for those?
I did not find an obvious solution in the generic config files.
There is a reference in the old bro documentation for this here:
https://old.zeek.org/documentation/faq.html
But you can add the following to /usr/local/etc/zeekctl.cfg if you
installed the FreeBSD port.
zeekargs = -f 'not host 192.168.1.255'
This will add a bpf filter to not process the traffic, just like
tcpdump. There are other examples to add this to your Zeek scripts as
necessary.