[Bro] scan.bro and missing log entries

Justin Azoff JAzoff at uamail.albany.edu
Thu Dec 2 08:38:08 PST 2010

On Thu, Dec 02, 2010 at 11:00:03AM -0500, Tyler T. Schoenke wrote:
> As you can see, at 11:27, Bro thinks 100 hosts were scanned on
> 5060/udp.   But the conn.log and flowscan data only show one host being
> scanned.  Any ideas why this alert thinks 100 hosts are being hit when
> it is one host with a single SYN?

Well if it was a udp scan for sip servers, there wouldn't be any SYN
packets.. does conn.log normally record udp streams?

-- Justin Azoff
-- Network Security & Performance Analyst

More information about the Bro mailing list