[Bro] scan.bro and missing log entries
Tyler T. Schoenke
Tyler.Schoenke at colorado.edu
Thu Dec 2 08:00:03 PST 2010
I've been seeing AddressScan alerts, but when I check conn.log, I can't
find the corresponding entries. I got an alert yesterday about a
5060/udp scan hitting 100 hosts. Below are the conn.log, flowscan, and
notice.log for the entire day matching the IP and port.
conn.log:
Dec 1 11:27:45 0.000000 172.21.210.116 151.32.190.137 other 51272 5060
udp 101 ? S0 L
flowscan:
12/01 11:27:45 172.21.210.116 151.32.190.137 17 51272
5060 1 129
notice.log:
Dec 1 11:27:45 no=AddressScan na=NOTICE_EMAIL es=w5 sa=172.21.210.116
p=5060/udp num=100 msg=172.21.210.116\ has\ scanned\ 100\ hosts\
(5060/udp) tag=@62-7ba5-3df5e6
As you can see, at 11:27, Bro thinks 100 hosts were scanned on
5060/udp. But the conn.log and flowscan data only show one host being
scanned. Any ideas why this alert thinks 100 hosts are being hit when
it is one host with a single SYN?
Tyler
--
--
Tyler Schoenke
Network Security Analyst
IT Security Office
University of Colorado - Boulder
More information about the Bro
mailing list