I am trying to generate a simple scan notice, when ip scanner is detected. I found bro-simple-scan and that it relies on darknet. What is the darknet script?
Also I tried loading both scripts in the zeek, but get nothing from either script in notice.log
Hoping to learn.
The explanation of the darknet scripts is here: GitHub - ncsa/bro-is-darknet
A darknet (or dark address space) is address space that is known to be empty, with no active servers/services. So - if there is a connection attempt to a dark address, you know that that is probably a scanner.
Thanks a lot. That makes sense. Can I then ask, how does the darknet script work on its own? Does it log to a specific file or is it a foundation for other scripts only?
The darknet scripts does no logging by itself, it only exposes functionality to build other scripts on.
For details, see the readme in of the repository - it explains exactly what it does and how to use it
Now I get it. Trial and error