Security Onion 2.4.30, Zeek 6.0.2, and single IPv4 address in $HOME_NET

0

If Zeek on your forward node (sensor) keeps restarting and its detailed status never changes from “health: starting,” to simply “healthy,” have a look at zeek.config.networks.HOME_NET in the Grid Configuration.

In my case I had specified a single IPv4 address among six other larger address blocks. Changing this address to a /31 address block made all the difference. I could probably have specified the address as a /32, but leaving it as /31 clearly single out the two relevant link net addresses.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>