Update: [bro] how use scan analyzer ?
<rmkml
rmkml at wanadoo.fr
Fri Jun 18 10:54:34 PDT 2004
Hi again,
update my question because found this :
$ grep -i scan *.log
alert.log:1087576751.844694 ScanSummary myip.163 scanned a total of 0
hosts
log.log:1087576751.844694 ScanSummary myip.163 scanned a total of 0
hosts
[my range is .162-190]
strange,
because I found in alert|log.log in last event. (after ctrl+c
bro proc)
and no others scan event.
Regards
Rmkml at Wanadoo.fr
On Fri, 18 Jun 2004, rmkml wrote:
> Date: Fri, 18 Jun 2004 14:29:51 +0200 (CEST)
> From: rmkml <rmkml at wanadoo.fr>
> To: bro at lbl.gov
> Subject: [bro] how use scan analyzer ?
>
> Hi,
>
> Im use bro v0.9a2
>
> on fbsd v4.9r
>
> I run bro with :
>
> /usr/local/bin/bro09a2_nodns -i fxp1 bro.init mt http-request http-reply
>
> but I don't have scan detect
>
> and I don't have scan.log.
>
> I have log.log, http.log, ftp.log, weird.log.
>
> I have tested with policy/scan.bro : 25 -> 5
>
> const possible_port_scan_thresh = 5 &redef;
>
> but no result.
>
> Normaly, scan analyzer is loaded on mt.bro policy. (default)
>
> I have added scan in start cmd :
> /usr/local/bin/bro09a2_nodns -i fxp1 bro.init mt http-request http-reply
> scan
>
>
> Possible help me ?
>
>
> I have second question,
> How searching old email on bro list ?
> url ?
>
>
> Regards
>
> Rmkml at Wanadoo.fr
>
> PS: prelude and snort detect scan, yes I run scan test, and receive scan ...
>
More information about the Bro
mailing list