<div dir="ltr">Also the @load packages/bro-is-darknet is erroring since it is not installed on my Zeek environment, do I need to use the zeek package manager to install it?</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Feb 14, 2020 at 9:20 AM Gordon Wallum <<a href="mailto:glwallum@gmail.com">glwallum@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Thank you, this makes sense logically but I can't figure out how to use the hook to exclude. The code below throws an error<div><br></div><div> ## Override this hook to ignore particular scan connections<br> global Scan::scan_policy: hook(scanner: addr, victim: addr, scanned_port: port)<br> {<br> if (( victim in exvictim_ips) || ( scanner in exscanner_ips ) || ( scanned_port in exscanned_ports))<br> break;<br> }<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Feb 13, 2020 at 2:49 PM Michał Purzyński <<a href="mailto:michalpurzynski1@gmail.com" target="_blank">michalpurzynski1@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>A couple of things.</div><div><br></div><div>First, you should use Justin's simple-scan. As others have pointed out, the stock scanning detection script can behave poorly and it's hardly extensible.</div><div><br></div><div><a href="https://github.com/ncsa/bro-simple-scan" target="_blank">https://github.com/ncsa/bro-simple-scan</a></div><div><br></div><div>(it's also packaged)</div><div><br></div><div>Second - you can either ignore connections so the detection algorithm won't count them (with the hook from the simple-scan code), or you can write a notice policy and ignore some notices. Up to you - we just ignore some connections.<br></div><div><br></div><div>Inside Justin's package, you will find a hook - this is what we use to ignore a set of destination and source IP addresses and some destination ports<br></div><div><br></div><div><a href="https://github.com/ncsa/bro-simple-scan/blob/master/scripts/scan.bro#L87" target="_blank">https://github.com/ncsa/bro-simple-scan/blob/master/scripts/scan.bro#L87</a></div><div><br></div><div>Here's how we use that hook</div><div><br></div><div><a href="https://gist.github.com/mpurzynski/96a26c42874898447554531b6df9a4bb" target="_blank">https://gist.github.com/mpurzynski/96a26c42874898447554531b6df9a4bb</a></div><div><br></div><div>The input framework is what we use to update the list runtime. Nowadays you could use the configuration framework instead.</div><div><br></div><div><a href="https://corelight.blog/2018/02/13/runtime-options-the-bro-configuration-framework/" target="_blank">https://corelight.blog/2018/02/13/runtime-options-the-bro-configuration-framework/</a></div><div><br></div><div><br></div><div>Either way, you do not have to modify any upstream package.</div><div><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Feb 13, 2020 at 11:23 AM Gordon Wallum <<a href="mailto:glwallum@gmail.com" target="_blank">glwallum@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Hello!</div><div><br></div><div>I am new with Zeek and looking to learn more. I am currently using the scan.zeek script (<a href="https://github.com/zeek/zeek/blob/master/scripts/policy/misc/scan.zeek" target="_blank">https://github.com/zeek/zeek/blob/master/scripts/policy/misc/scan.zeek</a>) for port scanning detection.</div><div><br></div><div>I want to exclude certain source IP addresses from this script but I am not sure the best way to do so. It seems like a comparison with the key$host variable, but not sure where or how to do this logic in Zeek.</div><div><br></div><div>Any advice would be appreciated</div><div><br></div><div>Thank you</div></div>
_______________________________________________<br>
Zeek mailing list<br>
<a href="mailto:zeek@zeek.org" target="_blank">zeek@zeek.org</a><br>
<a href="http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek" rel="noreferrer" target="_blank">http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek</a></blockquote></div></div>
</blockquote></div>
</blockquote></div>