[Zeek] scan.zeek question - exclude IP addresses

Gordon Wallum glwallum at gmail.com
Fri Feb 14 08:20:21 PST 2020 

Thank you, this makes sense logically but I can't figure out how to use the
hook to exclude. The code below throws an error

 ## Override this hook to ignore particular scan connections
    global Scan::scan_policy: hook(scanner: addr, victim: addr,
scanned_port: port)
{
            if (( victim in exvictim_ips) || ( scanner in exscanner_ips )
|| ( scanned_port in exscanned_ports))
break;
}

On Thu, Feb 13, 2020 at 2:49 PM Michał Purzyński <michalpurzynski1 at gmail.com>
wrote:

> A couple of things.
>
> First, you should use Justin's simple-scan. As others have pointed out,
> the stock scanning detection script can behave poorly and it's hardly
> extensible.
>
> https://github.com/ncsa/bro-simple-scan
>
> (it's also packaged)
>
> Second - you can either ignore connections so the detection algorithm
> won't count them (with the hook from the simple-scan code), or you can
> write a notice policy and ignore some notices. Up to you - we just ignore
> some connections.
>
> Inside Justin's package, you will find a hook - this is what we use to
> ignore a set of destination and source IP addresses and some destination
> ports
>
> https://github.com/ncsa/bro-simple-scan/blob/master/scripts/scan.bro#L87
>
> Here's how we use that hook
>
> https://gist.github.com/mpurzynski/96a26c42874898447554531b6df9a4bb
>
> The input framework is what we use to update the list runtime. Nowadays
> you could use the configuration framework instead.
>
>
> https://corelight.blog/2018/02/13/runtime-options-the-bro-configuration-framework/
>
>
> Either way, you do not have to modify any upstream package.
>
>
> On Thu, Feb 13, 2020 at 11:23 AM Gordon Wallum <glwallum at gmail.com> wrote:
>
>> Hello!
>>
>> I am new with Zeek and looking to learn more. I am currently using the
>> scan.zeek script (
>> https://github.com/zeek/zeek/blob/master/scripts/policy/misc/scan.zeek)
>> for port scanning detection.
>>
>> I want to exclude certain source IP addresses from this script but I am
>> not sure the best way to do so. It seems like a comparison with the
>> key$host variable, but not sure where or how to do this logic in Zeek.
>>
>> Any advice would be appreciated
>>
>> Thank you
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200214/5751b5bc/attachment.html

More information about the Zeek mailing list