[Bro] scan.bro and missing log entries
Tyler T. Schoenke
Tyler.Schoenke at colorado.edu
Thu Dec 2 13:11:00 PST 2010
On 12/02/2010 11:09 AM, Vern Paxson wrote:
> The usual way is to run bro with -w trace to generate a trace file of the
> traffic it analyzes. I sometimes run with (separate) full packet recording
> using tcpdump, because -w files don't always include everything Bro captured
> (there are mechanisms to not record some packets to it in an attempt to
> save space).
I am running a cluster on a span port that is receiving upwards of 1
Gbps. I'm guessing the -w would quickly fill my disk. I guess I should
try to recreate the traffic myself.
> Finally, Justin's observation about UDP is a good one. What flags and
> analyzer scripts are you using when running Bro?
I wasn't thinking about UDP not having a handshake. I saw the S0 and
assumed that means SYN. I see that just means a connection attempt. It
appears that conn.log is logging UDP streams. If there were 100+ scans
from that IP address, those should have shown up in conn.log, right?
I'm running a majority of the default scripts that are included in the
default cluster configuration, Seth's scripts, some of my own, and a few
others that I've collected. I have the capture filter set to ip.
More information about the Bro