Scripts: scan.zeek should not pass notice identifiers

[hiendv]

Scanning notices are already suppressed by intervals (redef).

    ## Failed connection attempts are tracked over this time interval for
    ## the address scan detection.  A higher interval will detect slower
    ## scanners, but may also yield more false positives.
    const addr_scan_interval = 5min &redef;

    ## Failed connection attempts are tracked over this time interval for
    ## the port scan detection.  A higher interval will detect slower
    ## scanners, but may also yield more false positives.
    const port_scan_interval = 5min &redef;

Adding notice identifiers introduces unnecessary auto suppression which results in missing notices with different scan inputs.

# this one will trigger the notice
nmap -A scanme.nmap.org

# this one won't but it should
nmap -A example.com

# or this one
nmap -A 192.168.1.137

In my opinion, notices should be raised without them or with more specific keys. E.g. cat(key$host, key$str).

[JustinAzoff]

The notice suppression times can be changed with something like this, if you wanted that:

redef Notice::type_suppression_intervals += {
    [Scan::Port_Scan]    = 10sec,
    [Scan::Address_Scan] = 10sec,
};

or turned off completely with

redef Notice::not_suppressed_types += {
    Scan::Port_Scan,
    Scan::Address_Scan,
}

In general you should avoid that scan detection script. It does not work that well and is no longer loaded by default. Give https://github.com/ncsa/bro-simple-scan a try, you'll likely see 10x more notices.

[hiendv]

@JustinAzoff Thank you for your suggestion. It works! I guess I will try the nsca script.