ncsa / bro-simple-scan Goto Github PK

License: Other

Zeek 100.00%

bro-simple-scan's Introduction

Bro simple scan

This is the 'simplest thing that could possibly work' scan detection script for bro. The entire script is about 300 lines and written to be as understandable as possible.

While simple, it also tries to do the least amount of work that it needs to in order to detect scans.

It should work up until about 8 /16 networks before the manager is overloaded, but it is possible that with the right policy it can scale even higher. Broker will enable a version to be used that scales out the analysis to multiple data nodes, once broker is ready.

Configuration

See the comments in scan.bro for all the tunables. Most likely one would want to modify the various threshold variables for different environments.

Properly configuring the darknet plugin as described under https://github.com/ncsa/bro-is-darknet will enable faster detection of scans.

False positives for outbound scans for heavy bittorrent users are common, but that is fixable with the right scan policy to ignore their 'scans'.

Notice policy

The notice type specific suppression intervals are used by the script in order to ignore further scan traffic from hosts that have set off scan notices.

If you don't care about repeat notices once per hour, set the supression interval to a higher value.

redef Notice::type_suppression_intervals += {
    [Scan::Port_Scan]           = 4hrs,
    [Scan::Address_Scan]        = 4hrs,
    [Scan::Random_Scan]         = 4hrs,
};

If you are blocking scanners using a default duration of less than 1 hour, set the intervals to match. Otherwise once the block expires, bro will still be ignoring the scanner.

Example scan policy

# Ignore (via 'break') scan attempts for common noisy destination ports that are already blocked
# but don't ignore outbound scans TO these ports.
const ignore_scan_ports: set[port] = { 23/tcp, 445/tcp };

hook Scan::scan_policy(scanner: addr, victim: addr, scanned_port: port)
{
    if ((scanned_port in ignore_scan_ports) && (!Site::is_local_addr(scanner)))
        break;
}

bro-simple-scan's People

Contributors

Stargazers

Watchers

Forkers

jsiwek attackgithub jeppojeps blue-infosec dopheide-esnet pbcullen dwissm1 jeff-bb

bro-simple-scan's Issues

Install fails test on zeek 4.0

installed from zkg on 4.0 installed from RPM on CentOS 7. zeek/ncsa/bro-is-darknet seems to install fine (dep)

zkg.test_command.stderr
tests.test_445_scan ... ok
tests.test_backscatter ... ok
tests.test_mutiport_scan ... failed
% 'btest-diff notice.log' failed unexpectedly (exit code 1)
% cat .diag
== File ===============================
125.27.226.209 - Scan::Address_Scan kk: 125.27.226.209 scanned at least 5 unique hosts on ports 8080/tcp, 80/tcp, 88/tcp in 0m0s remote
== Diff ===============================
--- /tmp/test-diff.7808.notice.log.baseline.tmp 2021-03-15 20:27:23.891629813 +0000
+++ /tmp/test-diff.7808.notice.log.tmp 2021-03-15 20:27:23.883629770 +0000
@@ -1 +1 @@
-125.27.226.209 - Scan::Address_Scan kk: 125.27.226.209 scanned at least 5 unique hosts on ports 80/tcp, 88/tcp, 8080/tcp in 0m0s remote
+125.27.226.209 - Scan::Address_Scan kk: 125.27.226.209 scanned at least 5 unique hosts on ports 8080/tcp, 80/tcp, 88/tcp in 0m0s remote

% cat .stderr
warning: Using legacy environment variable BRO_SEED_FILE, support will be removed in Zeek v4.1; use ZEEK_SEED_FILE instead
warning: Loading script 'load.bro' with legacy extension, support for '.bro' will be removed in Zeek v4.1
warning in ./../../../scripts/load.bro, line 1: Loading script './../../../scripts/./scan.bro' with legacy extension, support for '.bro' will be removed in Zeek v4.1
warning in ./../../../scripts/load.bro, line 1: Loading script './../../../scripts/./scan.bro' with legacy extension, support for '.bro' will be removed in Zeek v4.1
warning in ./../../../scripts/./scan.bro, line 11: Loading script 'load.bro' with legacy extension, support for '.bro' will be removed in Zeek v4.1
warning in /opt/zeek/var/lib/zkg/testing/bro-simple-scan/scripts/packages/bro-is-darknet/load.bro, line 1: Loading script '/opt/zeek/var/lib/zkg/testing/bro-simple-scan/scripts/packages/bro-is-darknet/./main.bro' with legacy extension, support for '.bro' will be removed in Zeek v4.1
warning in /opt/zeek/var/lib/zkg/testing/bro-simple-scan/scripts/packages/bro-is-darknet/load.bro, line 1: Loading script '/opt/zeek/var/lib/zkg/testing/bro-simple-scan/scripts/packages/bro-is-darknet/./main.bro' with legacy extension, support for '.bro' will be removed in Zeek v4.1

tests.test_port_scan ... ok
tests.test_port_scan_with_zero_windows ... ok
1 of 5 tests failed

I installed bro-is-darknet by itself and then reran the install and got the same error.

Tests breaks on newer versions of zeek - calls bro and bro-cut binarys instead of zeek

Installation failes when running unit tests using zkg.
Looks like the unit tests are using old binarys "bro" and "bro-cut".
This is causeing installation to fail using zkg since these binarys are symlinks to zeek-wrapper now.
Easy to fix is to remove the symlink to the actual binarys instead but this should really be fixed in the package.

Running zeek version 3.1.5

Also handle SW

With newer bro/zeek syn only connections may be reported as "SW" and not just S if the packet had a zero window.

Include some statistics about the number of local scans vs remote scans

It would be extremely useful to us to be able to tell that a scanner

scanned 50 remote hosts
scanned 5 local hosts

For the Random and Address scan types. Right now only the total number of scanned hosts is returned.

problem installing package using zkg package manager

I get this error when trying to install:
$ zkg install ncsa/bro-simple-scan
error: failed to resolve dependencies: package "zeek/ncsa/bro-simple-scan" has invalid dependency "bro/ncsa/bro-is-darknet": package name not found in sources and also not a usable git URL (invalid or inaccessible, use -vvv for details)

Incompatible with bro 2.5-6

Due to different arguments for the begin_suppression event in /frameworks/notice/main.bro

Works fine with bro 2.5-297.

Remaining zeekification

Hi! We've deprecated the old misc/scan.zeek in the Zeek distribution and are pointing at this package for suggested replacement: zeek/zeek#2357. Two quick questions:

Is this package still maintained?
Could you zeekify the repo name and ideally also the remaining bits in the repo?

Thanks!