[Bro] Question on Notices

Josh Liburdi liburdi.joshua at gmail.com
Fri May 23 10:40:54 PDT 2014

Originally only replied to Damon, wanted to make sure the rest of the list
caught this too in case anyone else had a similar question ...

There are a couple ways to get the hosts in your notice, but both require
modifying the scan.bro script-- if you want to capture all of the victim
hosts, then you can add the victims to a table as the data is being sent to
Sumstats ( SumStats::observe("scan.addr.fail" ... ); if you want a random
sample of the victim hosts, then you can add the Sumstats sample
measurement to the reducer ( detect-sqli.bro has an example of this ). The
latter won't give you all the scanned hosts, but it'd be easier and cleaner
to implement in the script.

The easiest way to check w/o editing any scripts or altering the notice is
to bro-cut your http.log and fgrep for the scanner IP connecting to hosts
on port 80.


On Thu, May 22, 2014 at 12:49 PM, Damon Rouse <damonrouse at gmail.com> wrote:

> Hi
> I've been playing with notice alerts and was wondering if it's possible to
> get the alert below to show the unique hosts that it scanned.  If not
> possible via an alert, what would be the best way in Bro to find these
> hosts?  Thanks!
> [Bro] Scan::Address_Scan
> Message: 192.168.xxx.xxx scanned at least 27 unique hosts on port 80/tcp
> in 1m56s
> Sub-message: local
>  Address: 192.168.xxx.xxx
>  Email Extensions
> ----------------
> orig/src hostname: xxxxxxxxxxxxxxx
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140523/5bb8cb57/attachment.html 

More information about the Bro mailing list