[Bro] two questions
Vincenzo Falletta
falletta at ftw.at
Mon Jan 2 18:28:05 PST 2006
Hello again,
this time two naive questions:
1) I use my own "onlyscan.bro" policy file:
===================================
@load alarm
@load tcp
@load scan
@load trw
@load weird
redef use_tagging = T;
redef shut_down_all_scans = T;
redef use_TRW_algorithm = T;
redef skip_services += {
445/tcp,
135/tcp
};
===================================
but, in the alarm.log file I still find alerts triggered by scanners at
port 445/tcp and 135/tcp, and if I create a report with site-report.pl
in the "Scans" section I also find entries related to scans at ports 445
and 135. How can I tell bro just to ignore this services?
2) How does the site-report.pl script choose the entries to be written
in the Scan section of the report? Reading the manual I see that they
should be ONLY the successful scans, but in the end of alarm.log file I
have some entries like "ScanSummary: host x has scanned a total of 3241
hosts" and this does not appear in the report! Instead, in the report I
have entries like "host y has scanned 100 hosts" so it's a lower value
and seems related to the thresholds set in the variable
"report_outbound_peer_scan" rather than being a total number of hosts
scanned. I tried to read and understand the code but I'm not familiar
with perl, and it would be easier to have some brief documentation or at
least an explaination of the main functions involved, like
"Bro::Report::Alarm::output_scans".
Thanks for your attention.
Vincenzo
More information about the Bro
mailing list