[Bro] AddressScan numbers and actual log number mismatch?

Azoff, Justin S jazoff at illinois.edu
Tue Jun 13 15:32:48 PDT 2017

> On Jun 13, 2017, at 6:21 PM, fatema bannatwala <fatema.bannatwala at gmail.com> wrote:
> Thanks Justin, quick search through the data for past 23 days still showed up only 5 IPs, all belonging to today's logs.
> Hence, was thinking, that the port/service in the Notice is one of the several services Bro notices an address scan on, and only reports the last one?
> or the address scan was actually performed on that service only.
> Looking at the script, I think the service port (4282 for ex.) is the port for which Address Scans get reported, but just wanted to verify,
> as I still not able to see more than 5 IPs hit on that port by

Ah yes, I see now that you were filtering for the port.  The policy counts scans across all ports.  You'd need to look for failed connections on any port.  You still may have to go back days to find the entire scan though.

- Justin Azoff

More information about the Bro mailing list