[Zeek] scan.zeek question - exclude IP addresses

Michał Purzyński michalpurzynski1 at gmail.com
Thu Feb 13 13:49:09 PST 2020


A couple of things.

First, you should use Justin's simple-scan. As others have pointed out, the
stock scanning detection script can behave poorly and it's hardly
extensible.

https://github.com/ncsa/bro-simple-scan

(it's also packaged)

Second - you can either ignore connections so the detection algorithm won't
count them (with the hook from the simple-scan code), or you can write a
notice policy and ignore some notices. Up to you - we just ignore some
connections.

Inside Justin's package, you will find a hook - this is what we use to
ignore a set of destination and source IP addresses and some destination
ports

https://github.com/ncsa/bro-simple-scan/blob/master/scripts/scan.bro#L87

Here's how we use that hook

https://gist.github.com/mpurzynski/96a26c42874898447554531b6df9a4bb

The input framework is what we use to update the list runtime. Nowadays you
could use the configuration framework instead.

https://corelight.blog/2018/02/13/runtime-options-the-bro-configuration-framework/


Either way, you do not have to modify any upstream package.


On Thu, Feb 13, 2020 at 11:23 AM Gordon Wallum <glwallum at gmail.com> wrote:

> Hello!
>
> I am new with Zeek and looking to learn more. I am currently using the
> scan.zeek script (
> https://github.com/zeek/zeek/blob/master/scripts/policy/misc/scan.zeek)
> for port scanning detection.
>
> I want to exclude certain source IP addresses from this script but I am
> not sure the best way to do so. It seems like a comparison with the
> key$host variable, but not sure where or how to do this logic in Zeek.
>
> Any advice would be appreciated
>
> Thank you
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200213/adc26d56/attachment.html 


More information about the Zeek mailing list