[Bro] Slow Port Scanning and Bro?
vern at icir.org
Mon Jan 14 12:10:51 PST 2013
(Apologies it took a while to follow up on this.)
> How is Bro handling so-called <slow port scanning> ?
It would help for you to frame more specifically what you have in mind.
The main scan detection algorithm that ships with Bro doesn't incorporate
an explicit notion of time. It does, however, have state-management knobs
that will control over how much time Bro tracks per-source state. Those
settings will affect just how slow of a scan Bro can detect.
In addition, there's the TRW scan detection algorithm that we developed
a number of years ago. It can detect very modest scanning activity (based
on observing as little as ~5 connections). It also does not have an explicit
notion of time in its detection, though likewise requires state management
in practice that will limit its scope.
In the past we've run both of these algorithms using 24-hour windows, meaning
TRW could detect scanners who did as little as ~5 connections/day.
Bro's approach to scan detection is changing with the upcoming 2.2 release,
in part to better support detection when activity is spread across multiple
cluster nodes. Seth Hall can speak more about the particulars.
Finally, we have a research project on detecting slow SSH bruteforcing
that's distributed across multiple hosts. Hopefully we'll have a paper
on that coming out sometime this year.
More information about the Bro