[Bro] inbound PortScans that aren't really...
vern at icir.org
Tue Oct 9 15:56:08 PDT 2007
> > Can you send me a trace of one of these scans? (Just TCP control
> > packets is fine if there's content you can't pass on).
> We have a free copy of splunk indexing the /usr/local/bro/logs/*
> files. Using splunk provides an easy way to retrieve data from all
> of the BRO files - conn, notice, info, etc. Tim Rupp did this. He's
> available for hire!
> I saw an outbound scan report today and used this splunk command ...
To figure this out, we really need a raw trace. The reason is the appearance
of a bunch of connections with state given as "OTH". Those reflect a
non-standard connection establishment (often due to Bro missing the beginning
of the connection, or multi-pathing, or the packet filter reordering SYNs
with SYN ACKs), which are probably what's confusing the scan detector about
the direction of the activity.
You can anonymize a raw trace using ipsumdump -A. Alternatively, you
could run Bro on it using "record_state_history=T" at the command line
to turn on connection state history tracking, which would probably let us
infer what's going on.
More information about the Bro