Hello!
I am new with Zeek and looking to learn more. I am currently using the scan.zeek script (https://github.com/zeek/zeek/blob/master/scripts/policy/misc/scan.zeek) for port scanning detection.
I want to exclude certain source IP addresses from this script but I am not sure the best way to do so. It seems like a comparison with the key$host variable, but not sure where or how to do this logic in Zeek.
Any advice would be appreciated
Thank you
I don't believe it has that functionality at the moment but I have a
patch that can provide those options. I'll put it on GH when I get a
spare moment.
It's worth noting that scan.zeek can perform poorly under heavy load
so maybe have a look at bro-simple-scan as well?
https://github.com/ncsa/bro-simple-scan
cmh
This Christopher, would something like this work for the scan.zeek exclude? I’ll look at the bro simple scan now
At line 71:
local message=fmt("%s scanned at least %d unique hosts on port %s in %s", key$host, r$unique, key$str, dur);
local exclude_ips: set[addr] = { xxx.xxx.xxx.xxx, xxx.xxx.xxx.yyy, xxx.xxx.xxx.zzz } ;
if (key$host !in exclude_ips)
NOTICE([$note=Address_Scan,
$src=key$host,
$p=to_port(key$str),
$sub=side,
$msg=message,
$identifier=cat(key$host)]);
A couple of things.
First, you should use Justin’s simple-scan. As others have pointed out, the stock scanning detection script can behave poorly and it’s hardly extensible.
https://github.com/ncsa/bro-simple-scan
(it’s also packaged)
Second - you can either ignore connections so the detection algorithm won’t count them (with the hook from the simple-scan code), or you can write a notice policy and ignore some notices. Up to you - we just ignore some connections.
Inside Justin’s package, you will find a hook - this is what we use to ignore a set of destination and source IP addresses and some destination ports
https://github.com/ncsa/bro-simple-scan/blob/master/scripts/scan.bro#L87
Here’s how we use that hook
https://gist.github.com/mpurzynski/96a26c42874898447554531b6df9a4bb
The input framework is what we use to update the list runtime. Nowadays you could use the configuration framework instead.
https://corelight.blog/2018/02/13/runtime-options-the-bro-configuration-framework/
Either way, you do not have to modify any upstream package.
Thank you, this makes sense logically but I can’t figure out how to use the hook to exclude. The code below throws an error
global Scan::scan_policy: hook(scanner: addr, victim: addr, scanned_port: port)
{
if (( victim in exvictim_ips) || ( scanner in exscanner_ips ) || ( scanned_port in exscanned_ports))
break;
}
Also the @load packages/bro-is-darknet is erroring since it is not installed on my Zeek environment, do I need to use the zeek package manager to install it?
I've heard about the darknet error before but I'm not sure I have a
relevant fix for it. I'm sorry. I've only touched these scripts in
passing.
Here are the changes I made to scan.zeek if it's helpful at all to
you. I'm not going to make a PR for this because I certainly don't
recommend the use of scan.zeek under heavy load but maybe it'll help
you with some ideas:
Note that I just dredged this out of some of my local tinkering and
didn't bring any btests with it. I think it's functional, though.
cmh