[Bro] Scanned Unique Host

Azoff, Justin S jazoff at illinois.edu
Thu Dec 28 08:45:19 PST 2017

> On Dec 28, 2017, at 10:47 AM, Johanna Amann <johanna at icir.org> wrote:
> Hi,
> typically the only way to do this is to look into conn.log; it might be
> possible to add that information using the SAMPLE or LAST SumStat
> reducers; however that will require modifying scans.bro.
> Johanna

This has come up a few times.. What do you think of the idea of adding a tags field to conn.log like http.log has?

The sql injection script makes good use of this:

    if ( match_sql_injection_uri in unescaped_URI )
        add c$http$tags[URI_SQLI];

        SumStats::observe("http.sqli.attacker", [$host=c$id$orig_h], [$str=original_URI]);
        SumStats::observe("http.sqli.victim",   [$host=c$id$resp_h], [$str=original_URI]);

But there's no corresponding c$conn$tags

Adding SCAN to c$conn$tags would make it easy to figure things out after the fact.

Justin Azoff

More information about the Bro mailing list