[Bro] Port Scanning Detection advice
belongtorobby at gmail.com
Mon Mar 7 16:12:28 PST 2016
I saw the original question sent in, and I am / was interested in the same.
The given response has left me more than a not befuddled.
On Mar 7, 2016 5:04 PM, "Graham Bridgeland" <grahambridgeland at yahoo.co.uk>
> Wondering if anyone could shed some light on the best way to handle port
> scanning tasks within Bro. I'm particularly interested in creating a basic
> script to react when a threshold is met i.e. when X attacks are detected
> within a Y time window. Courting the attacks is fine but its how to relate
> to the time window I'm stuck on. With a start and end time I can create a
> duration but as time is continuous I don't know the best method to decide
> when to start and when to stop.
> I'm studying the scan.bro from the \misc folder but can't work out how it
> handles this time-window dilemma. Are there basic notes on these scripts
> other than the comments with them? Not sure if anyone can help but thought
> I'd ask.
> Bro mailing list
> bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro