[Bro] connection states
Seth Hall
seth at icir.org
Mon Jul 22 11:30:02 PDT 2013
On Jul 22, 2013, at 2:11 PM, Laleh Arshadi <la_arshadi at yahoo.com> wrote:
> OK... to be more precise, how can I decide which connection is suspicious to be a TCP scanning attempt?
That's mostly going to depend on what you consider a TCP scan attempt. This is such a hard problem and could be slightly different in everyone's context.
Anyway, I would recommend taking a look at the scan.bro that is in our master repository. It's a new script that is coming out with the upcoming 2.2 release and it works pretty well, if you read and understand that script it should answer your question though.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list