scan.zeek question - exclude IP addresses

Hello!

I am new with Zeek and looking to learn more. I am currently using the scan.zeek script (https://github.com/zeek/zeek/blob/master/scripts/policy/misc/scan.zeek) for port scanning detection.

I want to exclude certain source IP addresses from this script but I am not sure the best way to do so. It seems like a comparison with the key$host variable, but not sure where or how to do this logic in Zeek.

Any advice would be appreciated

Thank you

I don't believe it has that functionality at the moment but I have a
patch that can provide those options. I'll put it on GH when I get a
spare moment.

It's worth noting that scan.zeek can perform poorly under heavy load
so maybe have a look at bro-simple-scan as well?
https://github.com/ncsa/bro-simple-scan

cmh

This Christopher, would something like this work for the scan.zeek exclude? I’ll look at the bro simple scan now

At line 71:

local message=fmt("%s scanned at least %d unique hosts on port %s in %s", key$host, r$unique, key$str, dur);
local exclude_ips: set[addr] = { xxx.xxx.xxx.xxx, xxx.xxx.xxx.yyy, xxx.xxx.xxx.zzz } ;
if (key$host !in exclude_ips)
NOTICE([$note=Address_Scan,
$src=key$host,
$p=to_port(key$str),
$sub=side,
$msg=message,
$identifier=cat(key$host)]);

A couple of things.

First, you should use Justin’s simple-scan. As others have pointed out, the stock scanning detection script can behave poorly and it’s hardly extensible.

https://github.com/ncsa/bro-simple-scan

(it’s also packaged)

Second - you can either ignore connections so the detection algorithm won’t count them (with the hook from the simple-scan code), or you can write a notice policy and ignore some notices. Up to you - we just ignore some connections.

Inside Justin’s package, you will find a hook - this is what we use to ignore a set of destination and source IP addresses and some destination ports

https://github.com/ncsa/bro-simple-scan/blob/master/scripts/scan.bro#L87

Here’s how we use that hook

https://gist.github.com/mpurzynski/96a26c42874898447554531b6df9a4bb

The input framework is what we use to update the list runtime. Nowadays you could use the configuration framework instead.

https://corelight.blog/2018/02/13/runtime-options-the-bro-configuration-framework/

Either way, you do not have to modify any upstream package.

Thank you, this makes sense logically but I can’t figure out how to use the hook to exclude. The code below throws an error

Override this hook to ignore particular scan connections

global Scan::scan_policy: hook(scanner: addr, victim: addr, scanned_port: port)
{
if (( victim in exvictim_ips) || ( scanner in exscanner_ips ) || ( scanned_port in exscanned_ports))
break;
}

Also the @load packages/bro-is-darknet is erroring since it is not installed on my Zeek environment, do I need to use the zeek package manager to install it?

I've heard about the darknet error before but I'm not sure I have a
relevant fix for it. I'm sorry. I've only touched these scripts in
passing.

Here are the changes I made to scan.zeek if it's helpful at all to
you. I'm not going to make a PR for this because I certainly don't
recommend the use of scan.zeek under heavy load but maybe it'll help
you with some ideas:

https://github.com/corelight-chris/zeek/blob/64331b1ace775ee86442ccae79e62d20e79ce0e5/scripts/policy/misc/scan.zeek

Note that I just dredged this out of some of my local tinkering and
didn't bring any btests with it. I think it's functional, though.

cmh