[Bro] ScanSummary intervals

Joncarlo Ruggieri jruggieri at ucdavis.edu
Tue Feb 7 11:50:14 PST 2006


We are running Bro 0.9a8.

I am trying to track down an inconsistency with our alarm logs.

Our thresholds for reporting AddressScans from external hosts is defined
in scan.bro as follows:

   const report_peer_scan = {
           20, 100, 1000, 10000, 50000, 100000, 250000, 500000, 1000000,
   } &redef;

This is not redefined elsewhere.

I see AddressScan alarms for a given host when they reach our
first defined threshold of 20.

I don't see entries for the next threshold of 100.

However, when we checkpoint Bro, we see ScanSummary log entries for higher
counts.  (We checkpoint Bro every 3 hours.)

Also, we can see ScanSummary entries for hosts that did not have
AddressScan entries during this last log/checkpoint period.

My questions are:

1) Is there something else which might override the report_peer_scan

2) Should checkpointing Bro reset the ScanSummary count, or will we need
to force that?

   2A) How do we force the ScanSummary count to reset?

Our ultimate goal is to be able to determine the number of addresses
scanned by a host at the end of our 3-hour checkpoint interval.  That
count could be either the true number or else last threshold reached.

Thanks for your help!

Joncarlo Ruggieri
University of CA, Davis
Data Center & Client Services

More information about the Bro mailing list