[Bro] Scanned Unique Host

Johanna Amann johanna at icir.org
Thu Dec 28 07:47:47 PST 2017


typically the only way to do this is to look into conn.log; it might be
possible to add that information using the SAMPLE or LAST SumStat
reducers; however that will require modifying scans.bro.


On Wed, Oct 25, 2017 at 09:40:11PM +0000, Hector Pena wrote:
> Hi,
> Is there a way to view which host were scanned when receiving a notice for the scan.bro script? We have been receiving a lot of notices lately for “x.x.x.x scanned at least X unique hosts on port X in Xtime”. I cannot seem to find a good way to determine which host were scanned by the host machine.
> Thanks,

> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list