[Bro-Dev] Unified scan.bro script

Azoff, Justin S jazoff at illinois.edu
Tue Jul 12 14:31:09 PDT 2016

> On Jul 12, 2016, at 5:10 PM, Seth Hall <seth at icir.org> wrote:
>> On Jul 11, 2016, at 8:44 PM, Azoff, Justin S <jazoff at illinois.edu> wrote:
>> It is.. amazing!  The unified code is simpler, uses less memory, puts less load on sumstats, generates nicer notice messages, and detects attackers scanning across multiple victims AND ports.
> Nice job Justin!  Perhaps this begs the question if we should use this version in Bro?  We do have a tendency to make design decisions so that Bro works the best that it can with minimal configuration for even the largest sites.

I think that is the hard part :-)  Minimally as a first step we can make it available with 2.5 but disabled by default. If someone isn't relying on the existing behavior they can take advantage of it immediately.  We can move the parts common to scan.bro and scan_unified.bro into a common script so they won't conflict.  We could also make it the default in 2.5, but as long as someone keeps their old local.bro nothing will change unless they want it to.

We just need to fix the backscatter issue first :-)

> I think the notices are very reasonable and have the additional benefit of being a single noticed to watch for for "scanning".  Having to watch for two different notices always felt a bit unnatural.  I think that I personally care about scans, not the type of scan being performed (although there may be some nuance to that that someone is taking advantage of?).

That did occur to me.. with this new version it is hard to apply a notice policy to the resulting notice.. i.e. do one thing if they were scanning port 22, do something else if they were scanning port 3389, do something else if they port scanned a single machine..  If only I could put the set of ports and hosts scanned inside the notice somewhere..

The unified scanning detection complicates the notice generation.  Before there was 1 notice for each of 2 different behaviors, my script has 1 notice for 5 behaviors:

* Scanning 1 port on many hosts
* Scanning <= 5 ports on many hosts
* Scanning many ports on 1 host
* Scanning many ports on <= 5 hosts
* Scanning many ports on many hosts.

Maybe a solution is to raise different notices? otherwise someone needs to do nasty regex stuff inside of a notice policy to tell them apart.  It would help if I knew how current bro users were using Scan::AddressScan and Scan::PortScan notices.

- Justin Azoff

More information about the bro-dev mailing list