[Zeek] scan.zeek question - exclude IP addresses

Gordon Wallum glwallum at gmail.com
Fri Feb 14 08:26:41 PST 2020 

Also the @load packages/bro-is-darknet is erroring since it is not
installed on my Zeek environment, do I need to use the zeek package manager
to install it?

On Fri, Feb 14, 2020 at 9:20 AM Gordon Wallum <glwallum at gmail.com> wrote:

> Thank you, this makes sense logically but I can't figure out how to use
> the hook to exclude. The code below throws an error
>
>  ## Override this hook to ignore particular scan connections
>     global Scan::scan_policy: hook(scanner: addr, victim: addr,
> scanned_port: port)
> {
>             if (( victim in exvictim_ips) || ( scanner in exscanner_ips )
> || ( scanned_port in exscanned_ports))
> break;
> }
>
> On Thu, Feb 13, 2020 at 2:49 PM Michał Purzyński <
> michalpurzynski1 at gmail.com> wrote:
>
>> A couple of things.
>>
>> First, you should use Justin's simple-scan. As others have pointed out,
>> the stock scanning detection script can behave poorly and it's hardly
>> extensible.
>>
>> https://github.com/ncsa/bro-simple-scan
>>
>> (it's also packaged)
>>
>> Second - you can either ignore connections so the detection algorithm
>> won't count them (with the hook from the simple-scan code), or you can
>> write a notice policy and ignore some notices. Up to you - we just ignore
>> some connections.
>>
>> Inside Justin's package, you will find a hook - this is what we use to
>> ignore a set of destination and source IP addresses and some destination
>> ports
>>
>> https://github.com/ncsa/bro-simple-scan/blob/master/scripts/scan.bro#L87
>>
>> Here's how we use that hook
>>
>> https://gist.github.com/mpurzynski/96a26c42874898447554531b6df9a4bb
>>
>> The input framework is what we use to update the list runtime. Nowadays
>> you could use the configuration framework instead.
>>
>>
>> https://corelight.blog/2018/02/13/runtime-options-the-bro-configuration-framework/
>>
>>
>> Either way, you do not have to modify any upstream package.
>>
>>
>> On Thu, Feb 13, 2020 at 11:23 AM Gordon Wallum <glwallum at gmail.com>
>> wrote:
>>
>>> Hello!
>>>
>>> I am new with Zeek and looking to learn more. I am currently using the
>>> scan.zeek script (
>>> https://github.com/zeek/zeek/blob/master/scripts/policy/misc/scan.zeek)
>>> for port scanning detection.
>>>
>>> I want to exclude certain source IP addresses from this script but I am
>>> not sure the best way to do so. It seems like a comparison with the
>>> key$host variable, but not sure where or how to do this logic in Zeek.
>>>
>>> Any advice would be appreciated
>>>
>>> Thank you
>>> _______________________________________________
>>> Zeek mailing list
>>> zeek at zeek.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200214/36c5106a/attachment-0001.html

More information about the Zeek mailing list