scan.zeek question - exclude IP addresses


I am new with Zeek and looking to learn more. I am currently using the scan.zeek script ( for port scanning detection.

I want to exclude certain source IP addresses from this script but I am not sure the best way to do so. It seems like a comparison with the key$host variable, but not sure where or how to do this logic in Zeek.

Any advice would be appreciated

Thank you

I don't believe it has that functionality at the moment but I have a
patch that can provide those options. I'll put it on GH when I get a
spare moment.

It's worth noting that scan.zeek can perform poorly under heavy load
so maybe have a look at bro-simple-scan as well?


This Christopher, would something like this work for the scan.zeek exclude? I’ll look at the bro simple scan now

At line 71:

local message=fmt("%s scanned at least %d unique hosts on port %s in %s", key$host, r$unique, key$str, dur);
local exclude_ips: set[addr] = {,, } ;
if (key$host !in exclude_ips)

A couple of things.

First, you should use Justin’s simple-scan. As others have pointed out, the stock scanning detection script can behave poorly and it’s hardly extensible.

(it’s also packaged)

Second - you can either ignore connections so the detection algorithm won’t count them (with the hook from the simple-scan code), or you can write a notice policy and ignore some notices. Up to you - we just ignore some connections.

Inside Justin’s package, you will find a hook - this is what we use to ignore a set of destination and source IP addresses and some destination ports

Here’s how we use that hook

The input framework is what we use to update the list runtime. Nowadays you could use the configuration framework instead.

Either way, you do not have to modify any upstream package.

Thank you, this makes sense logically but I can’t figure out how to use the hook to exclude. The code below throws an error

Override this hook to ignore particular scan connections

global Scan::scan_policy: hook(scanner: addr, victim: addr, scanned_port: port)
if (( victim in exvictim_ips) || ( scanner in exscanner_ips ) || ( scanned_port in exscanned_ports))

Also the @load packages/bro-is-darknet is erroring since it is not installed on my Zeek environment, do I need to use the zeek package manager to install it?

I've heard about the darknet error before but I'm not sure I have a
relevant fix for it. I'm sorry. I've only touched these scripts in

Here are the changes I made to scan.zeek if it's helpful at all to
you. I'm not going to make a PR for this because I certainly don't
recommend the use of scan.zeek under heavy load but maybe it'll help
you with some ideas:

Note that I just dredged this out of some of my local tinkering and
didn't bring any btests with it. I think it's functional, though.