[Bro] inbound PortScans that aren't really...
Randolph Reitz
rreitz at fnal.gov
Wed Sep 26 14:37:57 PDT 2007
I'm running a minimal set of BRO (1.3.2) policies, scan.bro plus a
few others, on the Fermilab traffic. I see a lot of inbound scans
that appear to be bogus. For example...
1190841523.673433:PortScan:NOTICE_ALARM_ALWAYS::
216.7.172.212::216.7.172.212:80/tcp::::::216.7.172.212 has scanned 50
ports of 131.225.22.131::@9765
This notice seems to be the result of an internal host visiting a web
page (e.g. 212.172.7.216.in-addr.arpa domain name pointer
forums.snapstream.com) where the web browser is incrementing the
source port for each TCP connection to the destination port 80 web
server. In scan.bro, this looks like the remote system is (inbound)
port scanning the internal host.
Have I missed a configuration in scan.bro that will ignore this?
Thanks,
Randy Reitz
More information about the Bro
mailing list