[Zeek] scan.zeek question - exclude IP addresses
Gordon Wallum
glwallum at gmail.com
Thu Feb 13 12:10:44 PST 2020
This Christopher, would something like this work for the scan.zeek exclude?
I'll look at the bro simple scan now
At line 71:
local message=fmt("%s scanned at least %d unique hosts on port %s in %s",
key$host, r$unique, key$str, dur);
local exclude_ips: set[addr] = { xxx.xxx.xxx.xxx, xxx.xxx.xxx.yyy,
xxx.xxx.xxx.zzz } ;
if (key$host !in exclude_ips)
NOTICE([$note=Address_Scan,
$src=key$host,
$p=to_port(key$str),
$sub=side,
$msg=message,
$identifier=cat(key$host)]);
On Thu, Feb 13, 2020 at 12:46 PM Christopher Hobbs <
christopher.hobbs at corelight.com> wrote:
> I don't believe it has that functionality at the moment but I have a
> patch that can provide those options. I'll put it on GH when I get a
> spare moment.
>
> It's worth noting that scan.zeek can perform poorly under heavy load
> so maybe have a look at bro-simple-scan as well?
> https://github.com/ncsa/bro-simple-scan
>
> cmh
>
> On Thu, Feb 13, 2020 at 11:23 AM Gordon Wallum <glwallum at gmail.com> wrote:
> >
> > Hello!
> >
> > I am new with Zeek and looking to learn more. I am currently using the
> scan.zeek script (
> https://github.com/zeek/zeek/blob/master/scripts/policy/misc/scan.zeek)
> for port scanning detection.
> >
> > I want to exclude certain source IP addresses from this script but I am
> not sure the best way to do so. It seems like a comparison with the
> key$host variable, but not sure where or how to do this logic in Zeek.
> >
> > Any advice would be appreciated
> >
> > Thank you
> > _______________________________________________
> > Zeek mailing list
> > zeek at zeek.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200213/e29fec9d/attachment.html
More information about the Zeek
mailing list