[Bro] differences between p and sp/dp port numbers inside the alert log
Vern Paxson
vern at icir.org
Tue Sep 14 07:33:28 PDT 2010
> I need to understand why the field port (p) is used when 'PortScan'
> alert is logged instead of using the field source port (sp).
The main reconnaissance information gathered by a scan is whether
the destination has a listener on the given port. So the source port
isn't relevant to the semantics of the scan. (Bro will however try
to determine when it's observing TCP backscatter, in which case the
apparent source becomes relevant. That's not the case here.)
> In the alerts log, the same host appears to have scanned 50 ports but
> instead of identifying the same originator port number, p=29638/udp is
> recorded.
In the notice, what's included is the port of the most recent activity
(the activity that triggered generation of the notice). Often for
routine scanning this readily identifies the attacker's intent. In
your case, however, it doesn't. (Indeed, I imagine what you're seeing
isn't a scan at all.)
Vern
More information about the Bro
mailing list