Modifying TDS ports for Zeek in 2.4 #14045
-
Version2.4.111 Installation MethodSecurity Onion ISO image Descriptionconfiguration Installation TypeDistributed Locationon-prem with Internet access Hardware SpecsExceeds minimum requirements CPU96 RAM256 Storage for /250Gb Storage for /nsm41Tb Network Traffic Collectiontap Network Traffic Speeds1Gbps to 10Gbps StatusYes, all services on all nodes are running OK Salt StatusNo, there are no failures LogsNo, there are no additional clues DetailOur SQL servers operate on a different port that the standard 1337. I would like to add an additional port number 5189. There was a custom script or custom setup instruction in the Read-The-Docs for version 2.3 How does one go about changing or adding a port number to the TDS script in zeek for Security Onion. I have added the old link for the Zeek Custom scripts for reference Zeek Custom Scripts Guidelines
|
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
Use a policy script to do this. Place the script in The script to place, if you are editing the MYSQL analyzer (change the ports to whatever you want to add): Also, add you In |
Beta Was this translation helpful? Give feedback.
-
|
that did it! Thanks! Here is what I ended up with. ` event zeek_init() &priority=5 ` |
Beta Was this translation helpful? Give feedback.
Use a policy script to do this. Place the script in
/opt/so/saltstack/local/salt/zeek/policy/custom/filters. For example, mysql_ports.zeekThe script to place, if you are editing the MYSQL analyzer (change the ports to whatever you want to add):
Also, add you
__load__.zeekfile with@load ./mysql_ports.zeekIn
SOC --> Administration --> Configuration --> zeek --> config --> local --> loadaddcustom/filters/mysql_portsThen synchronize your grid.https://docs.zeek.org/en/v6.0.9/scripts/base/frameworks/analyzer/main.zeek.html#id-Analyzer::register_fo…