[Bro] two questions
Vern Paxson
vern at icir.org
Mon Jan 9 23:48:30 PST 2006
> redef skip_services += {
> 445/tcp,
> 135/tcp
> };
You need to put these in both skip_services and skip_outbound_services.
Yeah, I know, this isn't intuitive :-(. The configuration for scan.bro
is pretty much a mess, and we have a rewrite of it pending, but haven't
managed to get it fully together yet. Sorry about that ...
> 2) How does the site-report.pl script choose the entries to be written
> in the Scan section of the report? Reading the manual I see that they
> should be ONLY the successful scans, but in the end of alarm.log file I
> have some entries like "ScanSummary: host x has scanned a total of 3241
> hosts" and this does not appear in the report! Instead, in the report I
> have entries like "host y has scanned 100 hosts" so it's a lower value
> and seems related to the thresholds set in the variable
> "report_outbound_peer_scan" rather than being a total number of hosts
> scanned.
Right, the summary is decoupled here. Jason or Roger will need to chime
in here, as they're the ones who develop/maintain site-report.pl.
Again, sorry about the confusion ...
Vern
More information about the Bro
mailing list