[Bro] scan.bro and missing log entries

Tyler T. Schoenke Tyler.Schoenke at colorado.edu
Thu Dec 2 08:00:03 PST 2010

I've been seeing AddressScan alerts, but when I check conn.log, I can't
find the corresponding entries.   I got an alert yesterday about a
5060/udp scan hitting 100 hosts.   Below are the conn.log, flowscan, and
notice.log for the entire day matching the IP and port.  

Dec  1 11:27:45 0.000000 other 51272 5060
udp 101 ? S0 L

12/01 11:27:45    17    51272 
5060     1      129

Dec  1 11:27:45 no=AddressScan na=NOTICE_EMAIL es=w5 sa=
p=5060/udp num=100 msg=\ has\ scanned\ 100\ hosts\
(5060/udp) tag=@62-7ba5-3df5e6

As you can see, at 11:27, Bro thinks 100 hosts were scanned on
5060/udp.   But the conn.log and flowscan data only show one host being
scanned.  Any ideas why this alert thinks 100 hosts are being hit when
it is one host with a single SYN?


Tyler Schoenke
Network Security Analyst
IT Security Office
University of Colorado - Boulder

More information about the Bro mailing list