[Bro] Question about port scan detection and raising alarms

[Robin Sommer]

On Thu, Nov 17, 2011 at 11:57 +0400, you wrote:

> I wonder, is the port scan detection functionality present in bro 2.0,

No, the scan detector isn't in there yet. We're planing to rewrite it
using the new frameworks, but than didn't make it into 2.0 anymore.

We have however ported the 1.5 version over to Bro 2.0 and put it into
the contributed scripts repository for now, see here:

    http://git.bro-ids.org/bro-scripts.git/tree

You can download scan.bro from there, put it into your site directory,
and then load it from local.bro. The script hasn't seen much testing
yet, but it's basically the 1.5 version with a few little pieces
updated to the 2.0 API changes.

> As a side question: what is the easiest way to test bro's
> alarm-triggering?

The easiest way would be without any trace at all, just some lines of
script code directly triggering an alarm. There are a few tests in the
test suite which do that. Try this:

    bro <bro-distribution>/testing/btest/scripts/base/frameworks/notice/suppression.bro

Then look at notice.log.

Robin

-- 
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org