I’ve been tinkering with the scan detection in Bro (2.3.2) and I was wondering if this was the most effective method for whitelisting hosts:
const scanners_whitelist {
x.x.x.x
};
hook Notice::policy(n: Notice::Info)
{
if ( n$note == Scan::Port_Scan && n?$src && (n$src in scanners_whitelist) )
{
print n$src;
delete n$actions[Notice::ACTION_LOG];
};
}
Please let me know if there’s a better/more efficient method. Thanks!
Mike