Zeek processes listen on all interfaces

Zeek
1

Hello,

We have deployed zeek-5.0.0 in cluster mode on a single machine using PF_RING for load balancing. The machine is Rocky Linux-8.6.

The node.cfg looks like this

[manager]
type=manager
host=localhost

[logger]
type=logger
host=localhost

[proxy-1]
type=proxy
host=localhost

# As only a single interface is designated as sensing_interface, only one worker is there
[worker-1]
type=worker
host=localhost
interface=ens8
lb_method=pf_ring
lb_procs=2

The config works and output of zeekctl status is:

Name         Type    Host             Status    Pid    Started
logger       logger  localhost        running   787799 01 Aug 18:22:54
manager      manager localhost        running   787854 01 Aug 18:22:56
proxy-1      proxy   localhost        running   787910 01 Aug 18:22:57
worker-1-1   worker  localhost        running   787974 01 Aug 18:22:59
worker-1-2   worker  localhost        running   787975 01 Aug 18:22:59

Each of the above processes also start listening on random ports but on all interfaces (0.0.0.0) although connections are only made among the processes on localhost

# netstat -nalp | grep zeek
tcp        0      0 0.0.0.0:47765           0.0.0.0:*               LISTEN      787975/zeek         
tcp        0      0 0.0.0.0:47761           0.0.0.0:*               LISTEN      787799/zeek         
tcp        0      0 0.0.0.0:47762           0.0.0.0:*               LISTEN      787854/zeek         
tcp        0      0 0.0.0.0:47763           0.0.0.0:*               LISTEN      787910/zeek         
tcp        0      0 0.0.0.0:47764           0.0.0.0:*               LISTEN      787974/zeek         
tcp        0      0 127.0.0.1:57764         127.0.0.1:47762         ESTABLISHED 787974/zeek         
tcp        0      0 127.0.0.1:49022         127.0.0.1:47761         ESTABLISHED 787975/zeek         
tcp        0      0 127.0.0.1:47762         127.0.0.1:57764         ESTABLISHED 787854/zeek         
tcp        0      0 127.0.0.1:47762         127.0.0.1:57758         ESTABLISHED 787854/zeek         
tcp        0      0 127.0.0.1:53920         127.0.0.1:47763         ESTABLISHED 787975/zeek         
tcp        0      0 127.0.0.1:57770         127.0.0.1:47762         ESTABLISHED 787975/zeek         
tcp        0      0 127.0.0.1:49010         127.0.0.1:47761         ESTABLISHED 787854/zeek         
tcp        0    923 127.0.0.1:47762         127.0.0.1:57770         ESTABLISHED 787854/zeek         
tcp        0      0 127.0.0.1:47763         127.0.0.1:53920         ESTABLISHED 787910/zeek         
tcp        0      0 127.0.0.1:53914         127.0.0.1:47763         ESTABLISHED 787974/zeek         
tcp        0      0 127.0.0.1:47761         127.0.0.1:49012         ESTABLISHED 787799/zeek         
tcp        0    809 127.0.0.1:57758         127.0.0.1:47762         ESTABLISHED 787910/zeek         
tcp        0      0 127.0.0.1:47761         127.0.0.1:49022         ESTABLISHED 787799/zeek         
tcp        0      0 127.0.0.1:47761         127.0.0.1:49016         ESTABLISHED 787799/zeek         
tcp        0    473 127.0.0.1:47761         127.0.0.1:49010         ESTABLISHED 787799/zeek         
tcp        0      0 127.0.0.1:49012         127.0.0.1:47761         ESTABLISHED 787910/zeek         
tcp        0      0 127.0.0.1:49016         127.0.0.1:47761         ESTABLISHED 787974/zeek         
tcp        0      0 127.0.0.1:47763         127.0.0.1:53914         ESTABLISHED 787910/zeek

Since the programs are running on single machine, I would like them to listen on only 127.0.0.1. Is there a config parameter for this? My guess was host=localhost in node.cfg would do this but that does not help.

2

Yeah, you can either redefine Broker::default_listen_address or set the environment variable ZEEK_DEFAULT_LISTEN_ADDRESS.

Robin

1 Like
3

Thanks,

I changed /opt/zeek/share/zeek/site/local.zeek to have the line

redef Broker::default_listen_address = "127.0.0.1";

and now all listens are on 127.0.0.1.