I’m new to Zeek and looking for help with bro-simple-scan to exclude Ip addresses. I am trying to use runtime options and if breaks to the script to accomplish this.
After running i get an error for my options variables. I don’t know if I should move my excludes to a different part of the script or if my options are just not working right.
Any help would be greatly appreciated
Error
error in /opt/bro/share/zeek/policy/custom-scripts/./bro-simple-scan2, line 276: unknown identifier exvictim_ips, at or near “exvictim_ips”
My config steps:
Edit local.bro to include the config file:
redef Config::config_files += { “/path/to/config.dat” };
Create config file with variables:
PortScanning::exvictim_ips
PortScanning::exscanner_ips xxx.xxx.xxx.xxx,yyy.yyy.yyy.yyy
PortScanning::exscanned_ports
Edit the bro-simple-scan script:
Added module and export variable options (after @loads)
module PortScanning;
export {
option exvictim_ips: set[addr] = {};
option exscanner_ips: set[addr] = {};
option exscanned_ports: set[port] = {};
}
Added if break (in the cluster hook Scan::scan_policy)
if ( hook Scan::scan_policy(scanner, victim, scanned_port) )
{
if (( victim in exvictim_ips) || ( scanner in exscanner_ips ) || ( scanned_port in exscanned_ports))
break;
Add an if break (in the standalone hook Scan::scan_policy)
if ( hook Scan::scan_policy(scanner, victim, scanned_port) )
{
if (( victim in exvictim_ips) || ( scanner in exscanner_ips ) || ( scanned_port in exscanned_ports))
break;