[Bro] not detect {big} scan with scan analyser
Christian Kreibich
christian at whoop.org
Sat Sep 11 14:18:21 PDT 2004
Hi,
On Sat, 2004-09-11 at 20:49, rmkml wrote:
> Hi,
>
> Im use bro 09a[3-4-5] on freebsd v4.10R,
>
> bro not detect this scan, (joigned pcap/gz file)
man, please do *not* send snippets of full-packet captures of any site
other than your own private network to a public mailing list! I don't
need to know how you're using these traces but I'm sure the folks from
vetmed.vt.edu don't want to see their traffic dissected in public on the
Internet.
> with default policy,
>
> but in conn.log file :
>
> 1085375478.746540 0.000008 128.173.231.31 62.23.34.167 smtp 3618 25 tcp ?
> ? REJ X
> 1085375479.331791 0.000003 128.173.231.31 62.23.34.167 smtp 3618 25 tcp ?
> ? REJ X
> 1085375481.138096 ? 128.173.231.31 62.23.34.162 ftp 3565 21 tcp ? ? S0 X
> 1085375481.138064 ? 128.173.231.31 62.23.34.162 http 3566 80 tcp ? ? S0 X
> 1085375481.138104 ? 128.173.231.31 62.23.34.162 dns 3567 53 tcp ? ? S0 X
> 1085375481.138047 ? 128.173.231.31 62.23.34.162 smtp 3568 25 tcp ? ? S0 X
> 1085375481.138072 ? 128.173.231.31 62.23.34.162 finger 3569 79 tcp ? ? S0
> X
> ...
>
> $ export BROPATH=/c/confL/policy
> $ export BRO_DNS_FAKE=1 # disable dns lookup
> $ /usr/local/bin/bro09a5_nodns_micro -r
> scantcp-viginia_edu.tcpdump bro.init mt
Note: you normally do not need to include bro.init separately on the
command line as that's always included (see main.cc).
> -> scan anlyser in mt.bro (@load scan)
>
> Possible help me ?
I'm not sure what you're feeding into Bro, but that's not that many
SYNs. I suggest you dig through the scan.bro policy and try to
understand why it decides that it is not a scan -- you'll also *need* to
understand if you want to use the scan analyzer realiable.
Regards,
Christian.
--
________________________________________________________________________
http://www.cl.cam.ac.uk/~cpk25
http://www.whoop.org
More information about the Bro
mailing list