[Bro] connection states
seth at icir.org
Mon Jul 22 11:30:02 PDT 2013
On Jul 22, 2013, at 2:11 PM, Laleh Arshadi <la_arshadi at yahoo.com> wrote:
> OK... to be more precise, how can I decide which connection is suspicious to be a TCP scanning attempt?
That's mostly going to depend on what you consider a TCP scan attempt. This is such a hard problem and could be slightly different in everyone's context.
Anyway, I would recommend taking a look at the scan.bro that is in our master repository. It's a new script that is coming out with the upcoming 2.2 release and it works pretty well, if you read and understand that script it should answer your question though.
International Computer Science Institute
(Bro) because everyone has a network
More information about the Bro