Scanning IP's

Zeek
1

As with every infrastructure I am plagued with people scanning my external edge. I see little value in getting notices for scanning attempts and password guessing attempts but I do see value in running monthly reports and generating blocklists based on repeat offenders.

Is there a way to tell the notice framework to only create alarms (emails) if it sees scans of any kind (address, port, password guessing, etc) if they are from the IP’s in my $HOME_NET defined in network.cfg?

Justification, If I

redef Notice::ignored_types += {
SSH::Password_Guessing,
Scan::Address_Scan,
Scan::Port_Scan,
HTTP::SQL_Injection_Attacker,
ShellShock::Scanner,

ScanUDP::Address_Scan,
ScanUDP::Port_Scan,
};

Then I get no logging of the events anywhere. Therefore I can’t run reports of offenders and build active blocklists or other intel gathering activities.

If I:

Set rule to only email specific notice types:

redef Notice::emailed_types += {
Weird::Activity,
Signatures::Sensitive_Signature,
Signatures::Multiple_Signatures,
Signatures::Multiple_Sig_Responders,
Signatures::Count_Signature,
Intel::Notice,
TeamCymruMalwareHashRegistry::Match,
Traceroute::Detected,
FTP::Bruteforcing,
FTP::Site_Exec_Success,
HTTP::SQL_Injection_Victim,
SMTP::Blocklist_Error_Message,
SMTP::Blocklist_Blocked_Host,
SMTP::Suspicious_Origination,
SSH::Login_By_Password_Guesser,
SSH::Interesting_Hostname_Login,
};

Then I get flooded with email from any of the guessing activity (Side note: I find that the above logic doesn’t restrict email notices to just those listed in the defined email types above. I still get plenty of notices about events not listed in the list above). If the redef Notice::emailed_types worked it would be a start but I’d still like to get emails about IP addresses in my internal net getting scanned by other IP’s in my internal net, that definitely an indicator of unwanted behavior.

Any assistance would be greatly appreciated. Just trying to tune things to a manageable level.

Thanks
Tim

2

The thing to understand is that the ignored_types and emailed_types are just tables defined to make tweaking the base notice policy easier.

That default notice policy is:

hook Notice::policy(n: Notice::Info) &priority=10
        {
        if ( n$note in Notice::ignored_types )
                break;

        if ( n$note in Notice::not_suppressed_types )
                n$suppress_for=0secs;
        if ( n$note in Notice::alarmed_types )
                add n$actions[ACTION_ALARM];
        if ( n$note in Notice::emailed_types )
                add n$actions[ACTION_EMAIL];

        if ( n$note in Notice::type_suppression_intervals )
                n$suppress_for=Notice::type_suppression_intervals[n$note];

        # Logging is a default action. It can be removed in a later hook if desired.
        add n$actions[ACTION_LOG];
        }

As you can see, adding notice types to those tables just tweaks the behavior of the default Notice::policy hook. To do some of the things you want to do, you just need a hook like

hook Notice::policy(n: Notice::Info)
{
    if (n$note == Scan::Port_Scan && Site::is_local_addr(n$src))
        add n$actions[Notice::ACTION_EMAIL];
}

If that would get repetitive, you can create your own table like

const local_emailed_types: set[Notice::Type] = {} &redef;

and have the policy be

hook Notice::policy(n: Notice::Info)
{
    if (n$note in local_emailed_types && Site::is_local_addr(n$src))
        add n$actions[Notice::ACTION_EMAIL];
}

3

FANTASTIC!! Giving it a shot now

4

Followup question:

If I set this will I still get the other notices emailed to me such as items from the intel framework that I have set meta.do_notice and meta.if_in. Or will I have to make another notice hook to still allow for those to send emails when observed.

Obviously I have some bro scripting classes to attend, but in the meanwhile I am just trying to hack this together.

Tim

5

Sorry to beat a dead horse here but I am having a few issues with setting the alert_email_types.

I set the following in my local.bro:

redef Notice::emailed_types += {
Weird::Activity,
Signatures::Sensitive_Signature,
Signatures::Multiple_Signatures,
Signatures::Multiple_Sig_Responders,
Signatures::Count_Signature,
Intel::Notice,
TeamCymruMalwareHashRegistry::Match,
Traceroute::Detected,
FTP::Bruteforcing,
FTP::Site_Exec_Success,
SMTP::Blocklist_Error_Message,
SMTP::Blocklist_Blocked_Host,
SMTP::Suspicious_Origination,
SSH::Login_By_Password_Guesser,
SSH::Interesting_Hostname_Login,
};

Now here I would expect to only get emails from the notice framework for the defined types. But in actuality I get email from other things as well such as SQL_Injection, Weird_Activity, etc. I want the notice framework to log all these action but I don’t want emails sent to me for them.

I am using the emailed types to send emails to a alert dashboard for analysts to looka t. I only want things to go there that require immediate action by the analyst, all other notices I want logged and they can view them when they do their hourly checks of the net.

Did I configure the email_types incorrectly. The end of my local.bro files contains the following email types modifications I have made:

redef Notice::emailed_types += {

Weird::Activity,
Signatures::Sensitive_Signature,
Signatures::Multiple_Signatures,
Signatures::Multiple_Sig_Responders,
Signatures::Count_Signature,
Intel::Notice,
TeamCymruMalwareHashRegistry::Match,
Traceroute::Detected,
FTP::Bruteforcing,
FTP::Site_Exec_Success,
SMTP::Blocklist_Error_Message,

SMTP::Blocklist_Blocked_Host,
SMTP::Suspicious_Origination,
SSH::Login_By_Password_Guesser,
SSH::Interesting_Hostname_Login,
};

Only receive Scan Notices if they are from local network.

const local_emailed_types: set[Notice::Type] = {
SSH::Password_Guessing,
} &redef;

hook Notice::policy(n: Notice::Info)
{
if (n$note in local_emailed_types && Site::is_local_addr(n$src))
add n$actions[Notice::ACTION_EMAIL];
}

Any help would be appreciated.

Thanks

6

Hi,

redef Notice::emailed_types += {

Blind guess, try:

redef Notice::emailed_types = {

Regards,
Jan