[Bro] Scanned Unique Host
johanna at icir.org
Thu Dec 28 07:47:47 PST 2017
typically the only way to do this is to look into conn.log; it might be
possible to add that information using the SAMPLE or LAST SumStat
reducers; however that will require modifying scans.bro.
On Wed, Oct 25, 2017 at 09:40:11PM +0000, Hector Pena wrote:
> Is there a way to view which host were scanned when receiving a notice for the scan.bro script? We have been receiving a lot of notices lately for “x.x.x.x scanned at least X unique hosts on port X in Xtime”. I cannot seem to find a good way to determine which host were scanned by the host machine.
> Bro mailing list
> bro at bro-ids.org
More information about the Bro