[Bro] not detect {big} scan with scan analyser
rmkml
rmkml at wanadoo.fr
Sat Sep 11 12:49:48 PDT 2004
Hi,
Im use bro 09a[3-4-5] on freebsd v4.10R,
bro not detect this scan, (joigned pcap/gz file)
with default policy,
but in conn.log file :
1085375478.746540 0.000008 128.173.231.31 62.23.34.167 smtp 3618 25 tcp ?
? REJ X
1085375479.331791 0.000003 128.173.231.31 62.23.34.167 smtp 3618 25 tcp ?
? REJ X
1085375481.138096 ? 128.173.231.31 62.23.34.162 ftp 3565 21 tcp ? ? S0 X
1085375481.138064 ? 128.173.231.31 62.23.34.162 http 3566 80 tcp ? ? S0 X
1085375481.138104 ? 128.173.231.31 62.23.34.162 dns 3567 53 tcp ? ? S0 X
1085375481.138047 ? 128.173.231.31 62.23.34.162 smtp 3568 25 tcp ? ? S0 X
1085375481.138072 ? 128.173.231.31 62.23.34.162 finger 3569 79 tcp ? ? S0
X
...
$ export BROPATH=/c/confL/policy
$ export BRO_DNS_FAKE=1 # disable dns lookup
$ /usr/local/bin/bro09a5_nodns_micro -r
scantcp-viginia_edu.tcpdump bro.init mt
-> scan anlyser in mt.bro (@load scan)
Possible help me ?
Regards
Rmkml at Wanadoo.fr
-------------- next part --------------
A non-text attachment was scrubbed...
Name: scantcp-virginia_edu.tcpdump.gz
Type: application/octet-stream
Size: 9732 bytes
Desc: scantcp.pcap.gz
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20040911/a0457069/attachment.obj
More information about the Bro
mailing list