[Zeek] bro-simple-scan exclude IP addresses
Justin Azoff
justin at corelight.com
Tue Feb 18 10:43:59 PST 2020
Ah.. a bit of confusion here.. but nothing too hard to fix. So what
Michał showed here:
https://gist.github.com/mpurzynski/96a26c42874898447554531b6df9a4bb was
almost exactly what you needed.
Undo any changes you made to the scripts (or just reinstall them i guess).
The scan policy hook itself is already there for this exact purpose, so you
don't need to change anything.
Just make a new file called scan-policy.zeek that contains
redef Config::config_files += { "/path/to/config.dat" };
module PortScanning;
export {
option exvictim_ips: set[addr] = {};
option exscanner_ips: set[addr] = {};
option exscanned_ports: set[port] = {};
}
hook Scan::scan_policy(scanner: addr, victim: addr, scanned_port: port)
{
if (( victim in exvictim_ips) || ( scanner in exscanner_ips ) || (
scanned_port in exscanned_ports))
break;
}
done! that's all you need.
On Fri, Feb 14, 2020 at 2:57 PM Gordon Wallum <glwallum at gmail.com> wrote:
> I'm new to Zeek and looking for help with bro-simple-scan to exclude Ip
> addresses. I am trying to use runtime options and if breaks to the script
> to accomplish this.
>
> After running i get an error for my options variables. I don't know if I
> should move my excludes to a different part of the script or if my options
> are just not working right.
>
> Any help would be greatly appreciated
>
> *Error*
> error in /opt/bro/share/zeek/policy/custom-scripts/./bro-simple-scan2,
> line 276: unknown identifier exvictim_ips, at or near "exvictim_ips"
>
>
> *My config steps: *
>
> Edit local.bro to include the config file:
> redef Config::config_files += { "/path/to/config.dat" };
>
> *Create config file with variables: *
> PortScanning::exvictim_ips
> PortScanning::exscanner_ips xxx.xxx.xxx.xxx,yyy.yyy.yyy.yyy
> PortScanning::exscanned_ports
>
>
> Edit the bro-simple-scan script:
>
> *Added module and export variable options (after @loads)*
> module PortScanning;
> export {
> option exvictim_ips: set[addr] = {};
> option exscanner_ips: set[addr] = {};
> option exscanned_ports: set[port] = {};
> }
>
> *Added if break (in the cluster hook Scan::scan_policy)*
>
> if ( hook Scan::scan_policy(scanner, victim, scanned_port) )
> {
> if (( victim in exvictim_ips) || ( scanner in exscanner_ips ) || (
> scanned_port in exscanned_ports))
> break;
>
> *Add an if break (in the standalone hook Scan::scan_policy)*
>
> if ( hook Scan::scan_policy(scanner, victim, scanned_port) )
> {
> if (( victim in exvictim_ips) || ( scanner in exscanner_ips ) || (
> scanned_port in exscanned_ports))
> break;
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
--
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200218/6e8cbacd/attachment.html
More information about the Zeek
mailing list