bro-simple-scan exclude IP addresses

I’m new to Zeek and looking for help with bro-simple-scan to exclude Ip addresses. I am trying to use runtime options and if breaks to the script to accomplish this.

After running i get an error for my options variables. I don’t know if I should move my excludes to a different part of the script or if my options are just not working right.

Any help would be greatly appreciated

Error
error in /opt/bro/share/zeek/policy/custom-scripts/./bro-simple-scan2, line 276: unknown identifier exvictim_ips, at or near “exvictim_ips”

My config steps:

Edit local.bro to include the config file:
redef Config::config_files += { “/path/to/config.dat” };

Create config file with variables:

PortScanning::exvictim_ips
PortScanning::exscanner_ips xxx.xxx.xxx.xxx,yyy.yyy.yyy.yyy
PortScanning::exscanned_ports

Edit the bro-simple-scan script:

Added module and export variable options (after @loads)
module PortScanning;
export {
option exvictim_ips: set[addr] = {};
option exscanner_ips: set[addr] = {};
option exscanned_ports: set[port] = {};
}

Added if break (in the cluster hook Scan::scan_policy)

if ( hook Scan::scan_policy(scanner, victim, scanned_port) )

{
if (( victim in exvictim_ips) || ( scanner in exscanner_ips ) || ( scanned_port in exscanned_ports))
break;

Add an if break (in the standalone hook Scan::scan_policy)

if ( hook Scan::scan_policy(scanner, victim, scanned_port) )
{
if (( victim in exvictim_ips) || ( scanner in exscanner_ips ) || ( scanned_port in exscanned_ports))
break;

Ah… a bit of confusion here… but nothing too hard to fix. So what Michał showed here: https://gist.github.com/mpurzynski/96a26c42874898447554531b6df9a4bb was almost exactly what you needed.

Undo any changes you made to the scripts (or just reinstall them i guess). The scan policy hook itself is already there for this exact purpose, so you don’t need to change anything.

Just make a new file called scan-policy.zeek that contains

redef Config::config_files += { “/path/to/config.dat” };

module PortScanning;
export {
option exvictim_ips: set[addr] = {};
option exscanner_ips: set[addr] = {};
option exscanned_ports: set[port] = {};
}

hook Scan::scan_policy(scanner: addr, victim: addr, scanned_port: port)
{
if (( victim in exvictim_ips) || ( scanner in exscanner_ips ) || ( scanned_port in exscanned_ports))
break;
}

done! that’s all you need.