Ignoring corrupt line

Zeek
1

I inherited an older Zeek server running version 4 and Debian 10. After upgrading to Debian 12 and Zeek version 7, we receive the following lines frequently in our reports. Before upgrading, those lines did appear in reports.

Ignoring corrupt line: {"ts":1770075737.083786,"uid":"CPt0nD3FWS48invDra","id.orig_h":"136.0.66.150","id.orig_p":0,"id.resp_h":"x.x.x.x","id.resp_p":0,"proto":"unknown_transport","conn_state":"OTH","local_orig":false,"local_resp":true,"missed_bytes":0,"orig_pkts":1,"orig_ip_bytes":628,"resp_pkts":0,"resp_ip_bytes":0,"ip_proto":50}

I commented out these deprecated scripts due to some errors being thrown when upgrading.

/opt/zeek/share/zeek/site/local.zeek
   - #@load tuning/defaults
   - #@load misc/scan

Any insight would be appreciated.

2

Hi @kransom,

if you just upgraded, it might be best to just upgrade to Zeek 8, instead of stopping at Zeek 7. Zeek 8.0 is our current LTS release; Zeek 7 is no longer getting updates, including no more security updates.

The issue you encounter is a bug in Zeek 7, which has been fixed in the current Zeek 8 releases. There are more details in the ticket at `unknown_protocol` is unsupported · Issue #10 · zeek/trace-summary · GitHub

In short, Zeek added additional information to its connection log, and we forgot to update the script that generates the summaries for a while.

Johanna

3

Ah okay. I upgraded this server about 7 months ago for security purposes. I plan on getting it fully up to date next week with the latest version and OS. I figured I’d get this issue sorted out while configuring IPv6 in the reports. Thanks for the support.

4

This topic was automatically closed after 60 days. New replies are no longer allowed.