[Bro] AddressScan numbers and actual log number mismatch?

fatema bannatwala fatema.bannatwala at gmail.com
Tue Jun 13 14:28:33 PDT 2017


Hi All,

So we had an incident today where an IP got blocked because of doing
Address Scan, as reported by Bro.

But when asked to corroborate the activity with actual logs, I couldn't
find the relevant logs or number of distinct IPs the scanner connected to.

To clarify:

Here is the log that reported an Address Scan:

1497360944.102926       Reporter::INFO  AddressScan NOTICE 71.162.229.81
has *scanned 30 hosts (4282/tcp)*        manager

 But when did a quick grep through the conn logs, only 5 distinct IPs
showed up as oppose to 30:

$ zcat conn.09:00:00-10:00:00.log.gz | grep "71.162.229.81" | grep "4282" |
awk -F'\t' '{if ($6 == "4282") print $5}' | sort | uniq -c | sort -rn
     38 128.x.x.x
     26 128.y.y.y
     20 128.z.z.z
      2 128.k.k.k
      2 128.j.j.j

Even looked at last all conn logs, but still couldn't get "30 IPs", as
reported by the notice log:

$ zcat conn.*.log.gz | grep "71.162.229.81" | grep "4282" | awk -F'\t' '{if
($6 == "4282") print $5}' | sort | uniq | sort -rn
128.x.x.x
128.y.y.y
128.z.z.z
128.k.k.k
128.j.j.j

Not sure why the numbers don't match up, also to mention, I am using
the check-addressscan.bro script from Scan-NG scripts folder.

Any idea? or if I am interpreting the logs correctly.

Thanks,
Fatema.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170613/3c8e211e/attachment.html 


More information about the Bro mailing list