[Bro] Port Scanning Detection advice
belongtorobby at gmail.com
Mon Mar 7 16:13:21 PST 2016
I saw the original question sent in, and I am / was interested in the same.
The given response has left me more than a bit befuddled.
On Mar 7, 2016 6:12 PM, "Lizzie Chandler" <belongtorobby at gmail.com> wrote:
> I saw the original question sent in, and I am / was interested in the same.
> The given response has left me more than a not befuddled.
> On Mar 7, 2016 5:04 PM, "Graham Bridgeland" <grahambridgeland at yahoo.co.uk>
>> Wondering if anyone could shed some light on the best way to handle port
>> scanning tasks within Bro. I'm particularly interested in creating a basic
>> script to react when a threshold is met i.e. when X attacks are detected
>> within a Y time window. Courting the attacks is fine but its how to relate
>> to the time window I'm stuck on. With a start and end time I can create a
>> duration but as time is continuous I don't know the best method to decide
>> when to start and when to stop.
>> I'm studying the scan.bro from the \misc folder but can't work out how it
>> handles this time-window dilemma. Are there basic notes on these scripts
>> other than the comments with them? Not sure if anyone can help but thought
>> I'd ask.
>> Bro mailing list
>> bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro