[Bro] inbound PortScans that aren't really...

Randolph Reitz rreitz at fnal.gov
Wed Sep 26 14:37:57 PDT 2007

I'm running a minimal set of BRO (1.3.2) policies, scan.bro plus a  
few others, on the Fermilab traffic.  I see a lot of inbound scans  
that appear to be bogus.  For example...

1190841523.673433:PortScan:NOTICE_ALARM_ALWAYS:: has scanned 50  
ports of

This notice seems to be the result of an internal host visiting a web  
page (e.g. domain name pointer  
forums.snapstream.com) where the web browser is incrementing the  
source port for each TCP connection to the destination port 80 web  
server.  In scan.bro, this looks like the remote system is (inbound)  
port scanning the internal host.

Have I missed a configuration in scan.bro that will ignore this?

Randy Reitz

More information about the Bro mailing list