I’m trying to filter out a load of port scans which are totally killing zeek.
I have a filter rules something like this in a file loaded from site.zeek:
redef restrict_filters += { [“not-one-host”] = “not host 10.92.161.136”};
zeekctl print PacketFilter::current_filter shows (truncated for readability):
worker-ens1f1np1-6 PacketFilter::current_filter = (ip or not ip) and (not host 10.92.161.136)
The thing is it does not filter this IP, I still get conn log entries. If I drop the “not” then I get no packets at all, it drops everything.
I read on a post that VLAN tags impact these filters, the traffic is on multiple VLAN’s, so I tried adding in vlan to the filter, but I get the same results, ether no packets are a filter that does nothing.
Does anybody have some filter examples that work they would care to share ?
This is Zeek 5.2
Thanks, Mark