[Bro] connection states

Seth Hall seth at icir.org
Mon Jul 22 11:30:02 PDT 2013

On Jul 22, 2013, at 2:11 PM, Laleh Arshadi <la_arshadi at yahoo.com> wrote:

> OK... to be more precise, how can I decide which connection is suspicious to be a TCP scanning attempt?

That's mostly going to depend on what you consider a TCP scan attempt.  This is such a hard problem and could be slightly different in everyone's context.

Anyway, I would recommend taking a look at the scan.bro that is in our master repository.  It's a new script that is coming out with the upcoming 2.2 release and it works pretty well, if you read and understand that script it should answer your question though.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list