We have a need to bypass a large number of subnets from capture on a centralised Zeek sensor. The reason being, we already have an estate of remote sensors capturing for said subnets (lots of remote sensors to capture MPLS any-to-any traffic). On the centralised sensor, we appear to be hitting some limitation on the number of entries we can use.
For example -
ZeekArgs = -f "ip or not ip and not (net 10.21.37.0/24 or net 10.21.38.0/24 or net 10.21.128.0/22 or net 10.21.176.0/22 or net 10.21.16.0/24 or net 10.21.76.0/24 or net 10.21.186.0/24 or net 10.21.112.0/23 or net 10.21.12.0/23 or net 10.21.48.0/23 or net 10.21.120.0/24 or net 10.21.64.0/23 or net 10.21.235.0/24 or net 10.21.202.0/24 or net 10.21.154.0/24 or net 10.21.210.0/24 or net 10.21.185.0/24 or net 10.21.108.0/24 or net 10.21.155.0/24 or net 10.21.162.0/24 or net 10.21.184.0/24 or net 10.21.182.0/24 or net 10.21.196.0/24 or net 10.21.153.0/24 or net 10.21.222.0/24 or net 10.21.238.0/24 or net 10.21.224.0/24 or net 10.21.163.0/24 or net 10.21.187.0/24 or net 10.21.234.0/24 or net 10.21.191.0/24 or net 10.21.205.0/24 or net 10.21.31.0/24 or net 10.21.40.0/24 or net 10.21.78.0/23 or net 172.16.8.0/21 or host 10.21.91.13 or host 10.21.100.125 or host 10.21.100.164 or host 10.21.100.131 or host 10.21.100.12 or host 10.21.91.254 or host 172.26.1.24 or host 10.25.26.221)"
The above will work, but as soon as we add one more entry, /var/log/bro/current shows no logs (other than broker, cluster, stdout, etc). Remove the last entry, /var/log/bro/current fills up with expected logs again.
We’re using Debian 10 for this sensor -
Static hostname: sensor00 Icon name: computer-desktop Chassis: desktop Machine ID: 6347d74af08c453d82787d516fd1bdb7 Boot ID: 47fd92ad927640e3928f756a76d8fcef Operating System: Debian GNU/Linux 10 (buster) Kernel: Linux 4.19.0-18-amd64 Architecture: x86-64
Zeek version is 4.0.5.
Does anyone have any ideas why we might be hitting what looks like a BPF limitation (perhaps something to do with the underlying capture library?).
We’re running the following node.cfg -
[logger-1] type=logger host=localhost # [manager] type=manager host=localhost # [proxy-1] type=proxy host=localhost # [worker-1] type=worker host=localhost interface=enp2s0 lb_method=pf_ring lb_procs=4
I’d be very grateful if anyone has any ideas as to why we’re seeing this issue, and can offer any advice.