[Bro] scan.bro and missing log entries
Robin Sommer
robin at icir.org
Thu Dec 2 13:28:53 PST 2010
On Thu, Dec 02, 2010 at 09:00 -0700, Tyler T. Schoenke wrote:
> As you can see, at 11:27, Bro thinks 100 hosts were scanned on
> 5060/udp.
Actually it means that 100 hosts have been scanned and the *last*
attempt triggering the alert was on port 506 (not necessarily all).
When you were checking conn.log, did you filter for all connections
involving that IP or just those on port 5060?
Robin
--
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list