[Zeek] bro-simple-scan exclude IP addresses
Gordon Wallum
glwallum at gmail.com
Fri Feb 14 11:54:37 PST 2020
I'm new to Zeek and looking for help with bro-simple-scan to exclude Ip
addresses. I am trying to use runtime options and if breaks to the script
to accomplish this.
After running i get an error for my options variables. I don't know if I
should move my excludes to a different part of the script or if my options
are just not working right.
Any help would be greatly appreciated
*Error*
error in /opt/bro/share/zeek/policy/custom-scripts/./bro-simple-scan2, line
276: unknown identifier exvictim_ips, at or near "exvictim_ips"
*My config steps: *
Edit local.bro to include the config file:
redef Config::config_files += { "/path/to/config.dat" };
*Create config file with variables: *
PortScanning::exvictim_ips
PortScanning::exscanner_ips xxx.xxx.xxx.xxx,yyy.yyy.yyy.yyy
PortScanning::exscanned_ports
Edit the bro-simple-scan script:
*Added module and export variable options (after @loads)*
module PortScanning;
export {
option exvictim_ips: set[addr] = {};
option exscanner_ips: set[addr] = {};
option exscanned_ports: set[port] = {};
}
*Added if break (in the cluster hook Scan::scan_policy)*
if ( hook Scan::scan_policy(scanner, victim, scanned_port) )
{
if (( victim in exvictim_ips) || ( scanner in exscanner_ips ) || (
scanned_port in exscanned_ports))
break;
*Add an if break (in the standalone hook Scan::scan_policy)*
if ( hook Scan::scan_policy(scanner, victim, scanned_port) )
{
if (( victim in exvictim_ips) || ( scanner in exscanner_ips ) || (
scanned_port in exscanned_ports))
break;
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200214/eeb4c5b6/attachment.html
More information about the Zeek
mailing list