[Bro] Bro and scan detection - the new script. And performance.

Michał Purzyński michalpurzynski1 at gmail.com
Mon Aug 24 23:35:49 PDT 2015

If memory serves me right, there was an old scanning detection script
and now there is a new one in ./scripts/policy/misc/scan.bro

The old one was discouraged on large clusters, is the new one better?

TL;DR to my surprise I have like 60Gbit of traffic here (OK, spikes
;-), millions of connections, insane amount of logs and I'm wondering
if I could enable it. It's not like I want to sacrifice lots of
performance, though. At best it will tell me that people are scanning
us 24/7, something that's quite obvious, but it would be a nice thing
to correlate and trace the attacker what he's doing, what other
services was he looking for before he started hammering some innocent
HTTP site and so on.

What do you think?

More information about the Bro mailing list