[Zeek] bro-simple-scan exclude IP addresses

Justin Azoff justin at corelight.com
Tue Feb 18 10:43:59 PST 2020 

Ah.. a bit of confusion here.. but nothing too hard to fix.  So what
Michał showed here:
https://gist.github.com/mpurzynski/96a26c42874898447554531b6df9a4bb was
almost exactly what you needed.

Undo any changes you made to the scripts (or just reinstall them i guess).
The scan policy hook itself is already there for this exact purpose, so you
don't need to change anything.

Just make a new file called scan-policy.zeek that contains

redef Config::config_files += { "/path/to/config.dat" };
module PortScanning;
export {
    option exvictim_ips: set[addr] = {};
    option exscanner_ips: set[addr] = {};
    option exscanned_ports: set[port] = {};
}

hook Scan::scan_policy(scanner: addr, victim: addr, scanned_port: port)
{
    if (( victim in exvictim_ips) || ( scanner in exscanner_ips ) || (
scanned_port in exscanned_ports))
        break;
}

done! that's all you need.


On Fri, Feb 14, 2020 at 2:57 PM Gordon Wallum <glwallum at gmail.com> wrote:

> I'm new to Zeek and looking for help with bro-simple-scan to exclude Ip
> addresses. I am trying to use runtime options and if breaks to the script
> to accomplish this.
>
> After running i get an error for my options variables. I don't know if I
> should move my excludes to a different part of the script or if my options
> are just not working right.
>
> Any help would be greatly appreciated
>
> *Error*
> error in /opt/bro/share/zeek/policy/custom-scripts/./bro-simple-scan2,
> line 276: unknown identifier exvictim_ips, at or near "exvictim_ips"
>
>
> *My config steps: *
>
> Edit local.bro to include the config file:
> redef Config::config_files += { "/path/to/config.dat" };
>
> *Create config file with variables: *
> PortScanning::exvictim_ips
> PortScanning::exscanner_ips xxx.xxx.xxx.xxx,yyy.yyy.yyy.yyy
> PortScanning::exscanned_ports
>
>
> Edit the bro-simple-scan script:
>
> *Added module and export variable options (after @loads)*
> module PortScanning;
> export {
>     option exvictim_ips: set[addr] = {};
>     option exscanner_ips: set[addr] = {};
>     option exscanned_ports: set[port] = {};
> }
>
> *Added if break (in the cluster hook Scan::scan_policy)*
>
> if ( hook Scan::scan_policy(scanner, victim, scanned_port) )
>         {
> if (( victim in exvictim_ips) || ( scanner in exscanner_ips ) || (
> scanned_port in exscanned_ports))
> break;
>
> *Add an if break (in the standalone hook Scan::scan_policy)*
>
> if ( hook Scan::scan_policy(scanner, victim, scanned_port) )
>         {
> if (( victim in exvictim_ips) || ( scanner in exscanner_ips ) || (
> scanned_port in exscanned_ports))
> break;
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek



-- 
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200218/6e8cbacd/attachment.html

More information about the Zeek mailing list