I have configured zeek following the official documentation, then I have added redef to skip the checksum warning. I have configured the interface trying with different brands, I have done tcpdump and tshark and I don’t see the ssh sessions except that of the same endpoint where I do the sniffing. I am connected to a mirror port.
Script
ssh_alerts.zeek
event connection_established(c: connection)
{
if (c$id$resp_p == 22/tcp)
{
print fmt(“SSH Alerts: Con from %s a %s:%d”,
c$id$orig_h, c$id$resp_h, c$id$resp_p);
}
}
Configured:
/usr/local/zeek/etc/node.cfg
/usr/local/zeek/share/zeek/site/local.zeek
I hope soon your answer, greetings.
