[Bro-Dev] Unified scan.bro script
Azoff, Justin S
jazoff at illinois.edu
Fri Jul 15 15:47:14 PDT 2016
A further iteration of the unified scan.bro script is now in the branch topic/jazoff/scan-unified
Use of the branch isn't required though, as it is a self contained change one can just grab the
https://raw.githubusercontent.com/bro/bro/31b63445ed07e2e76f98c49dd59091b1742523d1/scripts/policy/misc/scan.bro
and replace the stock scan.bro with it - or better, move it to site and change the loading from misc/scan to just ./scan.bro)
It is aiming to replace scan.bro so you can not run both at the same time. However, If you really wanted to you could search/replace all the identifiers that conflict with scan.bro and run both.
It should behave visibly similar to current scan.bro except there is a new Random scan notice:
Scan::Random_Scan 198.20.69.74 scanned at least 102 hosts on 82 ports in 4m51s
and the existing notices may report for more than one port or host (up to 5) - after that it becomes a Random_Scan
Address_Scan 91.236.75.4 scanned at least 102 unique hosts on ports 3128, 8080 in 4m47s
--
- Justin Azoff
More information about the bro-dev
mailing list