Zeek without rc.local
Zeek without rc.local
In order for Zeek to properly capture packets you need to disable some network card features, such as tcp offloading and the like.
Security Onion has a handy article at https://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html
While you can just run this manually :
for i in rx tx sg tso ufo gso gro lro; do ethtool -K enp2s0 $i off; doneYou don’t really want to be doing this every time the system restarts. Before systemd you might have just put the above command in /etc/rc.local but nowadays systems are not guaranteed to have this legacy feature.
the TLDR is you need to use either systemd to set these options when the system boots. Here is an example systemd service that you can use in place :
# /etc/systemd/system/zeek-interface.service[Service]Type=oneshotRemainAfterExit=yesExecStart=/root/zeek-interface.sh[Install]WantedBy=multi-user.targetYou then need to do a
systemctl daemon-reloadand then
systemctl enable zeek-interfaceAfter you reboot your system should be properly configured to capture packets with Zeek or Suricata!
TODO : There is probably a neater way to do this (using Netplan if you are on Ubuntu for example) — see https://netplan.io/faq