[Bro-Dev] Unified scan.bro script

Azoff, Justin S jazoff at illinois.edu
Fri Jul 15 15:47:14 PDT 2016

A further iteration of the unified scan.bro script is now in the branch topic/jazoff/scan-unified

Use of the branch isn't required though, as it is a self contained change one can just grab the 


and replace the stock scan.bro with it - or better, move it to site and change the loading from misc/scan to just ./scan.bro)

It is aiming to replace scan.bro so you can not run both at the same time.  However, If you really wanted to you could search/replace all the identifiers that conflict with scan.bro and run both.

It should behave visibly similar to current scan.bro except there is a new Random scan notice:

Scan::Random_Scan scanned at least 102 hosts on 82 ports in 4m51s

and the existing notices may report for more than one port or host (up to 5) - after that it becomes a Random_Scan

Address_Scan scanned at least 102 unique hosts on ports 3128, 8080 in 4m47s

- Justin Azoff

More information about the bro-dev mailing list