[Bro] Port Scanning Detection advice

Jamal Tarik mahimjamal360 at hotmail.com
Mon Mar 7 15:49:32 PST 2016

Are you aware of this law computer FRAUD and abuse ACT.?

Updated you earlier in regards to this item also there are some new things added to it be advised further.

Thanks again for all the best regards. To address ING this FOOLISH for OF misinformation whichever angle they try to create is covered should be resolved as soon as possible to get them wrong bits out of the way.

Date: Mon, 7 Mar 2016 22:56:33 +0000
From: grahambridgeland at yahoo.co.uk
To: bro at bro.org
Subject: [Bro] Port Scanning Detection advice

Wondering if anyone could shed some light on the best way to handle port scanning tasks within Bro. I'm particularly interested in creating a basic script to react when a threshold is met i.e. when X attacks are detected within a Y time window. Courting the attacks is fine but its how to relate to the time window I'm stuck on. With a start and end time I can create a duration but as time is continuous I don't know the best method to decide when to start and when to stop.
I'm studying the scan.bro from the \misc folder but can't work out how it handles this time-window dilemma. Are there basic notes on these scripts other than the comments with them? Not sure if anyone can help but thought I'd ask.

Bro mailing list
bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160307/92ff0a6d/attachment.html 

More information about the Bro mailing list