[Bro] differences between p and sp/dp port numbers inside the alert log

Veronica Estrada estrada.veronica at gmail.com
Tue Sep 14 05:19:23 PDT 2010


Hello.
I need to understand why the field port (p) is used when 'PortScan'
alert is logged instead of using the field source port (sp). For
example, in the connection summaries, I've got 51 udp connections with
flag S0, from one host to another host using 51 different destination
ports and the same originator port=43210.
In the alerts log, the same host appears to have scanned 50 ports but
instead of identifying the same originator port number, p=29638/udp is
recorded.
All my 'PortScan' alerts records have no coincidence between the
originator port written in the connection summaries and the port
looged in the alerts.

Thanks in advance,

Veronica Estrada



More information about the Bro mailing list