[Bro] scan.bro and missing log entries
robin at icir.org
Fri Dec 3 16:21:16 PST 2010
On Thu, Dec 02, 2010 at 15:07 -0700, you wrote:
> That would explain it. I'm guessing this machine was some sort of
> software like P2P or Skype. Is there a way to change the scanner so it
> only fires alerts when 100 hosts have been scanned on a single port?
No, the script doesn't provide that currently. The problem is that
it would require quite a bit more state to keep. I know that it
would be useful though, others have been running into similar
problems already. Perhaps we should think about adding that.
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro