Ok, all works well when I configure Zeek as a standalone node: packets are captured, there are several logs regarding conn, dns ... Problem appears when Zeek is configured as a cluster using one host as a manager and another host as a worker ...
Strange, because PF is disabled in both hosts, one host can connect to the other (ping, ssh and so on). Maybe it is a bug with Zeek ... -- Regards, C. L. Martinez On 08/03/2020, 10:42, "[email protected] on behalf of Carlos Lopez" <[email protected] on behalf of [email protected]> wrote: Hi Monah, Yes, zeekctl deploy works without problem. If I launch several requests using curl or doing several dns requests, I can see all of them with tcpdump but not in zeek … Of course, sniffing the same interface … -- Regards, C. L. Martinez From: Monah Baki <[email protected]> Date: Sunday, 8 March 2020 at 00:25 To: Carlos Lopez <[email protected]> Cc: "[email protected]" <[email protected]> Subject: Re: Compiling Zeek 3.0.2 returns an error at final stage From the server if you curl a website, in zeek log current folder do you see a http.log file, and after changing the interface did you zeekctl deploy. Thanks Monah On Sat, Mar 7, 2020 at 5:42 PM Carlos Lopez <[email protected]<mailto:[email protected]>> wrote: Thanks Monah … But this is not the problem … interface configuration is correct … -- Regards, C. L. Martinez From: Monah Baki <[email protected]<mailto:[email protected]>> Date: Saturday, 7 March 2020 at 23:30 To: Carlos Lopez <[email protected]<mailto:[email protected]>> Cc: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: Compiling Zeek 3.0.2 returns an error at final stage Hi Carlos, Check your node.cfg, the interface section [zeek] type=standalone host=localhost interface=eth0 <<<<<< might want to change it On Sat, Mar 7, 2020 at 5:01 PM Carlos Lopez <[email protected]<mailto:[email protected]>> wrote: Many thanks for your answer Stuart ... Finally, I have compiled Zeek 3.0.3-dev.3 an all goes ok during compilation ... But zeek doesn't capture any packet ... and tcpdump works without problems and I can see all traffic ... -- Regards, C. L. Martinez On 07/03/2020, 22:08, "[email protected]<mailto:[email protected]> on behalf of Stuart Henderson" <[email protected]<mailto:[email protected]> on behalf of [email protected]<mailto:[email protected]>> wrote: On 2020-03-07, Carlos Lopez <[email protected]<mailto:[email protected]>> wrote: > Hi all, > > I am trying to install Zeek 3.0.2 under OpenBSD 6.6 amd64 fully patched but compilation returns me the following error: > > [ 97%] Building C object src/CMakeFiles/zeek.dir/nb_dns.c.o > [ 97%] Linking CXX executable zeek > ld: error: unable to find library -llibbinpac.so.VERSION > c++: error: linker command failed with exit code 1 (use -v to see invocation) > *** Error 1 in build (src/CMakeFiles/zeek.dir/build.make:1826 'src/zeek') > *** Error 1 in build (CMakeFiles/Makefile2:1661 'src/CMakeFiles/zeek.dir/all') > *** Error 1 in build (Makefile:152 'all') > *** Error 1 in /root/builds/src/zeek-3.0.2 (Makefile:15 'all') > > But libbinpac.so exists compiled under the source dirs.: > > root@obsd66:~/builds/src/zeek-3.0.2# find . -name "*binpac.so" > ./build/aux/binpac/lib/libbinpac.so > root@obsd66:~/builds/src/zeek-3.0.2 > > Any tip to solve this issue? > You're probably better off using the port. There is a fair chance that if you update *just* the net/bro directory (the port dir wasn't renamed but the package was) to -current that it will build, and if not, you'll be closer to getting it working. Or the easy option, update to -current, pkg_add zeek.
