[Zeek] scan.zeek question - exclude IP addresses

Christopher Hobbs christopher.hobbs at corelight.com
Tue Feb 18 10:16:13 PST 2020 

I've heard about the darknet error before but I'm not sure I have a
relevant fix for it.  I'm sorry.  I've only touched these scripts in
passing.

Here are the changes I made to scan.zeek if it's helpful at all to
you.  I'm not going to make a PR for this because I certainly don't
recommend the use of scan.zeek under heavy load but maybe it'll help
you with some ideas:

https://github.com/corelight-chris/zeek/blob/64331b1ace775ee86442ccae79e62d20e79ce0e5/scripts/policy/misc/scan.zeek

Note that I just dredged this out of some of my local tinkering and
didn't bring any btests with it.  I think it's functional, though.

cmh

On Fri, Feb 14, 2020 at 8:28 AM Gordon Wallum <glwallum at gmail.com> wrote:
>
> Also the @load packages/bro-is-darknet is erroring since it is not installed on my Zeek environment, do I need to use the zeek package manager to install it?
>
> On Fri, Feb 14, 2020 at 9:20 AM Gordon Wallum <glwallum at gmail.com> wrote:
>>
>> Thank you, this makes sense logically but I can't figure out how to use the hook to exclude. The code below throws an error
>>
>>  ## Override this hook to ignore particular scan connections
>>     global Scan::scan_policy: hook(scanner: addr, victim: addr, scanned_port: port)
>> {
>>             if (( victim in exvictim_ips) || ( scanner in exscanner_ips ) || ( scanned_port in exscanned_ports))
>> break;
>> }
>>
>> On Thu, Feb 13, 2020 at 2:49 PM Michał Purzyński <michalpurzynski1 at gmail.com> wrote:
>>>
>>> A couple of things.
>>>
>>> First, you should use Justin's simple-scan. As others have pointed out, the stock scanning detection script can behave poorly and it's hardly extensible.
>>>
>>> https://github.com/ncsa/bro-simple-scan
>>>
>>> (it's also packaged)
>>>
>>> Second - you can either ignore connections so the detection algorithm won't count them (with the hook from the simple-scan code), or you can write a notice policy and ignore some notices. Up to you - we just ignore some connections.
>>>
>>> Inside Justin's package, you will find a hook - this is what we use to ignore a set of destination and source IP addresses and some destination ports
>>>
>>> https://github.com/ncsa/bro-simple-scan/blob/master/scripts/scan.bro#L87
>>>
>>> Here's how we use that hook
>>>
>>> https://gist.github.com/mpurzynski/96a26c42874898447554531b6df9a4bb
>>>
>>> The input framework is what we use to update the list runtime. Nowadays you could use the configuration framework instead.
>>>
>>> https://corelight.blog/2018/02/13/runtime-options-the-bro-configuration-framework/
>>>
>>>
>>> Either way, you do not have to modify any upstream package.
>>>
>>>
>>> On Thu, Feb 13, 2020 at 11:23 AM Gordon Wallum <glwallum at gmail.com> wrote:
>>>>
>>>> Hello!
>>>>
>>>> I am new with Zeek and looking to learn more. I am currently using the scan.zeek script (https://github.com/zeek/zeek/blob/master/scripts/policy/misc/scan.zeek) for port scanning detection.
>>>>
>>>> I want to exclude certain source IP addresses from this script but I am not sure the best way to do so. It seems like a comparison with the key$host variable, but not sure where or how to do this logic in Zeek.
>>>>
>>>> Any advice would be appreciated
>>>>
>>>> Thank you
>>>> _______________________________________________
>>>> Zeek mailing list
>>>> zeek at zeek.org
>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek

More information about the Zeek mailing list