[bro] how use scan analyzer ?

rmkml rmkml at wanadoo.fr
Fri Jun 18 05:29:51 PDT 2004


Hi,

Im use bro v0.9a2

on fbsd v4.9r

I run bro with :

  /usr/local/bin/bro09a2_nodns -i fxp1 bro.init mt http-request http-reply

but I don't have scan detect

and I don't have scan.log.

I have log.log, http.log, ftp.log, weird.log.

I have tested with policy/scan.bro : 25 -> 5

  const possible_port_scan_thresh = 5 &redef;

but no result.

Normaly, scan analyzer is loaded on mt.bro policy. (default)

I have added scan in start cmd :
  /usr/local/bin/bro09a2_nodns -i fxp1 bro.init mt http-request http-reply 
scan


Possible help me ?


I have second question,
How searching old email on bro list ?
url ?


Regards

Rmkml at Wanadoo.fr

PS: prelude and snort detect scan, yes I run scan test, and receive scan 
...



More information about the Bro mailing list