[Bro] scan.bro and missing log entries

Tyler T. Schoenke Tyler.Schoenke at colorado.edu
Thu Dec 2 13:11:00 PST 2010

On 12/02/2010 11:09 AM, Vern Paxson wrote:
> The usual way is to run bro with -w trace to generate a trace file of the
> traffic it analyzes.  I sometimes run with (separate) full packet recording
> using tcpdump, because -w files don't always include everything Bro captured
> (there are mechanisms to not record some packets to it in an attempt to
> save space).
I am running a cluster on a span port that is receiving upwards of 1
Gbps.  I'm guessing the -w would quickly fill my disk.  I guess I should
try to recreate the traffic myself.

> Finally, Justin's observation about UDP is a good one.  What flags and
> analyzer scripts are you using when running Bro?
I wasn't thinking about UDP not having a handshake.  I saw the S0 and
assumed that means SYN.  I see that just means a connection attempt.  It
appears that conn.log is logging UDP streams.  If there were 100+ scans
from that IP address, those should have shown up in conn.log, right?

I'm running a majority of the default scripts that are included in the
default cluster configuration, Seth's scripts, some of my own, and a few
others that I've collected.  I have the capture filter set to ip.  


More information about the Bro mailing list