[Bro] Scan UDP

Nicolas Macia CESPI nmacia at cespi.unlp.edu.ar
Wed Mar 9 16:44:00 PST 2016

Hi Seth, we where using [1] for some time and we found it trigger some
false positive alerts.

The problem was detected with NTP and DNS servers with a lot of
activity. The script alerts that this servers were scanning UDP ports
when in reality they were responding to requests to their services.

Today we use an external bash script to determine whether or not it is a
false positive (using knows udp ports).... not the best solution but it
works pretty well

[1] https://github.com/sethhall/bro-junk-drawer/blob/master/scan_udp.bro


> El 12/02/16 a las 17:00, bro-request at bro.org escribió:
>> Today's Topics:
>>    1. Re: Scan UDP (Seth Hall)
>>    2. Re: Scan UDP (Forest Monsen)
>>    3. Re: SHA256 Hash File Analyzer (Shawn Homan)
>> ----------------------------------------------------------------------
>> Message: 1
>> Date: Thu, 11 Feb 2016 15:58:33 -0500
>> From: Seth Hall <seth at icir.org>
>> Subject: Re: [Bro] Scan UDP
>> To: Cristian Daniel Barbaro <cbarbaro at cert.unlp.edu.ar>
>> Cc: bro at bro.org
>> Message-ID: <82CCEB61-C63B-49C8-8CDA-35DDB1D05B01 at icir.org>
>> Content-Type: text/plain; charset=us-ascii
>>> On Feb 11, 2016, at 1:53 PM, Cristian Daniel Barbaro <cbarbaro at cert.unlp.edu.ar> wrote:
>>> Bro implements this scan type detect?
>> There is a prototype script that we put together a while ago that detects UDP scans.  If you run it, I'd love to get any feedback that you have.
>> 	https://github.com/sethhall/bro-junk-drawer/blob/master/scan_udp.bro
>>   .Seth

Centro Superior para el Procesamiento de la Información

Universidad Nacional de La Plata
Proteja el Medioambiente. No imprima este mail si no es absolutamente necesario

More information about the Bro mailing list