[Bro] Question about port scan detection and raising alarms
George Noseevich
ngo at lvk.cs.msu.su
Wed Nov 16 23:57:18 PST 2011
Hello!
I wonder, is the port scan detection functionality present in bro 2.0,
and if it is, how to enable it?
I am starting bro with scripts/test-all-policy.bro, which should (I
suppose) enable all built-in analyzers, then perform a standart nmap SYN
scan of the host running bro. After that, I shutdown bro and examine the
results.
However, nothing related to scanning is shown in notice.log, and the
alarm.log even doesn't get created. Am I missing some important steps here?
I'm running bro directly via cli: bro -i eth0 scripts/test-all-policy.bro
As a side question: what is the easiest way to test bro's
alarm-triggering? What I need is a sample pcap file (or some kind of
instructions), which will trigger alarms in a default bro configuration
(freshly-build bro run with scripts that are distributed with bro itself).
Thanks
More information about the Bro
mailing list