[Bro] Scanned Unique Host
Azoff, Justin S
jazoff at illinois.edu
Thu Dec 28 08:45:19 PST 2017
> On Dec 28, 2017, at 10:47 AM, Johanna Amann <johanna at icir.org> wrote:
> typically the only way to do this is to look into conn.log; it might be
> possible to add that information using the SAMPLE or LAST SumStat
> reducers; however that will require modifying scans.bro.
This has come up a few times.. What do you think of the idea of adding a tags field to conn.log like http.log has?
The sql injection script makes good use of this:
if ( match_sql_injection_uri in unescaped_URI )
SumStats::observe("http.sqli.attacker", [$host=c$id$orig_h], [$str=original_URI]);
SumStats::observe("http.sqli.victim", [$host=c$id$resp_h], [$str=original_URI]);
But there's no corresponding c$conn$tags
Adding SCAN to c$conn$tags would make it easy to figure things out after the fact.
More information about the Bro