[Bro] not detect {big} scan with scan analyser

rmkml rmkml at wanadoo.fr
Wed Nov 3 16:56:39 PST 2004


Hi list,

sorry for noise,

but last bro version 09a7

not detect any {BIG} scan ....

Regards

Rmkml at Wanadoo.fr


On Sat, 11 Sep 2004, rmkml wrote:

> Date: Sat, 11 Sep 2004 21:49:48 +0200 (CEST)
> From: rmkml <rmkml at wanadoo.fr>
> To: bro at bro-ids.org
> Subject: [Bro] not detect {big} scan with scan analyser
> 
> Hi,
>
> Im use bro 09a[3-4-5] on freebsd v4.10R,
>
> bro not detect this scan, (joigned pcap/gz file)
>
> with default policy,
>
> but in conn.log file :
>
> 1085375478.746540 0.000008 128.173.231.31 62.23.34.167 smtp 3618 25 tcp ? ? 
> REJ X
> 1085375479.331791 0.000003 128.173.231.31 62.23.34.167 smtp 3618 25 tcp ? ? 
> REJ X
> 1085375481.138096 ? 128.173.231.31 62.23.34.162 ftp 3565 21 tcp ? ? S0 X
> 1085375481.138064 ? 128.173.231.31 62.23.34.162 http 3566 80 tcp ? ? S0 X
> 1085375481.138104 ? 128.173.231.31 62.23.34.162 dns 3567 53 tcp ? ? S0 X
> 1085375481.138047 ? 128.173.231.31 62.23.34.162 smtp 3568 25 tcp ? ? S0 X
> 1085375481.138072 ? 128.173.231.31 62.23.34.162 finger 3569 79 tcp ? ? S0 X
> ...
>
> $ export BROPATH=/c/confL/policy
> $ export BRO_DNS_FAKE=1 # disable dns lookup
> $ /usr/local/bin/bro09a5_nodns_micro -r scantcp-viginia_edu.tcpdump bro.init 
> mt
> -> scan anlyser in mt.bro (@load scan)
>
> Possible help me ?
>
> Regards
>
> Rmkml at Wanadoo.fr



More information about the Bro mailing list