Bro and port scan
pierfrancesco_porcu@libero.it
pierfrancesco_porcu at libero.it
Wed Dec 12 07:05:48 PST 2001
Hi,
I have another questions regarding bro(version 07a90).I'am testing the
capability
of bro to detect port scanner.After , i have found others problem:
1) It don't detect Fin, Xmas and Null scans.
2) Bro don't detect two time the seme scan betweent the same hosts on
the same ports.
3) It consume a great quantity of memory.
To resolve the first i have added a script to detect Fin, Xmas and Null
scans usuing the weird event their produce.And all works good.
To resolve the 2° and the 3°, i have added to scan.bro a recursive
function (that use bro delete function and a table of support) to delete
the record of the table scan_triples(is deleted also the table of support).
While the first problem seems to be resolved, the second is gotten worse.
There is a way to easy delete a subset of a table? or another way to
reduce the consume of memory of the scan analyzer?
Thanks.
Pierfrancesco Porcu.
More information about the Bro
mailing list