[Bro] inbound PortScans that aren't really...

Vern Paxson vern at icir.org
Tue Oct 9 15:56:08 PDT 2007

> > Can you send me a trace of one of these scans? (Just TCP control
> > packets is fine if there's content you can't pass on).
> ...
> We have a free copy of splunk indexing the /usr/local/bro/logs/*  
> files.  Using splunk provides an easy way to retrieve data from all  
> of the BRO files - conn, notice, info, etc.  Tim Rupp did this.  He's  
> available for hire!
> I saw an outbound scan report today and used this splunk command ...

To figure this out, we really need a raw trace.  The reason is the appearance
of a bunch of connections with state given as "OTH".  Those reflect a
non-standard connection establishment (often due to Bro missing the beginning
of the connection, or multi-pathing, or the packet filter reordering SYNs
with SYN ACKs), which are probably what's confusing the scan detector about
the direction of the activity.

You can anonymize a raw trace using ipsumdump -A.  Alternatively, you
could run Bro on it using "record_state_history=T" at the command line
to turn on connection state history tracking, which would probably let us
infer what's going on.


More information about the Bro mailing list