[Bro-Dev] Unified scan.bro script

Seth Hall seth at icir.org
Tue Jul 12 14:10:59 PDT 2016

> On Jul 11, 2016, at 8:44 PM, Azoff, Justin S <jazoff at illinois.edu> wrote:
> It is.. amazing!  The unified code is simpler, uses less memory, puts less load on sumstats, generates nicer notice messages, and detects attackers scanning across multiple victims AND ports.

Nice job Justin!  Perhaps this begs the question if we should use this version in Bro?  We do have a tendency to make design decisions so that Bro works the best that it can with minimal configuration for even the largest sites.

I think the notices are very reasonable and have the additional benefit of being a single noticed to watch for for "scanning".  Having to watch for two different notices always felt a bit unnatural.  I think that I personally care about scans, not the type of scan being performed (although there may be some nuance to that that someone is taking advantage of?).


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the bro-dev mailing list