[Bro] scan.bro and missing log entries
JAzoff at uamail.albany.edu
Thu Dec 2 08:38:08 PST 2010
On Thu, Dec 02, 2010 at 11:00:03AM -0500, Tyler T. Schoenke wrote:
> As you can see, at 11:27, Bro thinks 100 hosts were scanned on
> 5060/udp. But the conn.log and flowscan data only show one host being
> scanned. Any ideas why this alert thinks 100 hosts are being hit when
> it is one host with a single SYN?
Well if it was a udp scan for sip servers, there wouldn't be any SYN
packets.. does conn.log normally record udp streams?
-- Justin Azoff
-- Network Security & Performance Analyst
More information about the Bro