[Bro] Port Scanning Detection advice

Graham Bridgeland grahambridgeland at yahoo.co.uk
Mon Mar 7 14:56:33 PST 2016

Wondering if anyone could shed some light on the best way to handle port scanning tasks within Bro. I'm particularly interested in creating a basic script to react when a threshold is met i.e. when X attacks are detected within a Y time window. Courting the attacks is fine but its how to relate to the time window I'm stuck on. With a start and end time I can create a duration but as time is continuous I don't know the best method to decide when to start and when to stop.
I'm studying the scan.bro from the \misc folder but can't work out how it handles this time-window dilemma. Are there basic notes on these scripts other than the comments with them? Not sure if anyone can help but thought I'd ask.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160307/501fea9d/attachment.html 

More information about the Bro mailing list