VyOS RTRs need to be configured to mirror traffic onto an unused port. From there, I’m trying to find a solution that gets the traffic off the port and into ZEEK to create logs. Or is there a better way to do what I’m looking for?
I don’t know anything about Zeek/Bro, but using mirror interfaces is fairly straightforward.
Once your mirror interface is configured in VyOS, you connect your Zeek listening interface to the mirror interface on the VyOS device.
1 Like
I am not sure about Zeek or the way how it works, but definitely you can try using :
https://docs.vyos.io/en/latest/configuration/interfaces/bonding.html#port-mirror-span
I think that it could work for you
The way I’ve always got traffic to go out a blackhole is to statically define an arp entry on the interface and get whatever service is sending the traffic to be grabbed to that destination IP.
Whatever’s plugged into the port doesn’t have an actual IP address (usually it’s a port mirror collector) but if you statically say “this MAC is out this port” and then assign an IP to that MAC, you can ship traffic out the port easily.
Hope this helps.