Hello,
How do I whitelist IPs for the scan.bro notice? I prefer to whitelist than suppress. I’m running my tests in try.bro.org.
I’ve tried:
module scanwhitelist;
export {
const scan_host_ignore: set[subnet] = { 192.168.0.1/32} &redef;
const scan_port_ignore: set[port] = { } &redef;
}
redef Notice::type_suppression_intervals += {
[Scan::Port_Scan] = 4hrs,
};
hook Scan::port_scan_policy(scanner: addr, victim: addr, scanned_port: port)
{
if ((scanner in scanwhitelist::scan_host_ignore) || scanned_port in scanwhitelist::scan_port_ignore) {
break;
}
}
And I have also tried this. Found it here: http://mailman.icsi.berkeley.edu/pipermail/bro/2013-April/005662.html
const external_port_scanners_whitelist = { 10.2.32.94, 8.8.4.4 };
hook Notice::policy(n: Notice::Info) &priority=10
{
if ( n$note == Scan::Port_Scan && n?$src && !(n$src in external_port_scanners_whitelist) )
{
add n$actions[Notice::ACTION_LOG];
}
}
What am I not getting?
Thanks you for your help!
Dillon Murpy