Zeek Bogon Networks Package
This package adds two fields to Zeek's conn.log to identify if an orig/resp IP is in a bogon network range:
bogon_origbogon_resp
Network ranges that will be marked as bogon:
0.0.0.0/8127.0.0.0/8169.254.0.0/16192.0.2.0/24198.51.100.0/24203.0.113.0/24224.0.0.0/4255.255.255.255/32::1/128100::/642001:db8::/32fe80::/10ff00::/8
This package also can classify the RFC 1918 private address space and RFC 4193 IPv6 Unicast Addresses if desired. This functionality is disabled by default, as many Zeek users run Zeek on a local network where RFC 1918 traffic is expected.
To enable classifying RFC 1918/4193 private address space as bogon, add the following to your local.zeek:
redef Bogon::private_as_bogon = T;
This will mark these ranges as bogon:
10.0.0.0/8172.16.0.0/12192.168.0.0/16fc00::/7
Install
This package is available via the Zeek Package Manager:
$ zkg install zeek-bogon
Links
For more info on bogon ranges, please see the following:
- Bad Packets: Hunting for bogons and the ISPs that announce them
- Wikipedia: Bogon filtering
- Team Cymru: The Bogon Reference
Credits
Some of the test traces were not generated by me:
- ipv6-smtp.pcapng: nacnud