[Bro] Question on Notices

Vlad Grigorescu vladg at cmu.edu
Fri May 23 11:42:02 PDT 2014


On May 23, 2014, at 1:40 PM, Josh Liburdi <liburdi.joshua at gmail.com> wrote:

> There are a couple ways to get the hosts in your notice, but both require modifying the scan.bro script-- if you want to capture all of the victim hosts, then you can add the victims to a table as the data is being sent to Sumstats ( SumStats::observe("scan.addr.fail" ... ); if you want a random sample of the victim hosts, then you can add the Sumstats sample measurement to the reducer ( detect-sqli.bro has an example of this ). The latter won't give you all the scanned hosts, but it'd be easier and cleaner to implement in the script.

+1 to what Josh said, but I'll just add two points:

 - Adding the full set of victim hosts will drastically increase the memory usage. scan.bro can already be fairly memory intensive on a large network (depending on how populated your IP space is, where exactly Bro is inspecting the traffic, etc.) This trade-off might be worth it to you, just wanted to point it out.

 - While with the sampling approach the samples are randomized, they are also statistically significant. That means that if an attacker scans 1000 ports on host A, and one port on another 10 hosts, host A would be the one to show up in the sample. (I'm oversimplifying things here, for more information see: http://en.wikipedia.org/wiki/Reservoir_sampling)

  --Vlad
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140523/e39af873/attachment.bin 


More information about the Bro mailing list