[Bro] Scan ports doubt

Cristian Barbaro cbarbaro at cert.unlp.edu.ar
Tue Dec 15 14:10:22 PST 2015


Hello, Community.

I've a problem with scan ports:

    I'm working on a script to detect ports scan (horizontal and
vertical) using scan.bro script and I send email when detected. I've a
question with Notice::policy executions times.
I do a scan to IP's ports (e.g. 10.10.10.10) from a specific IP (e.g.
10.10.1.2). If scan detected first time, send email, but if I do another
scan to same IP (10.10.10.10) from 10.10.1.2, Notice::policy hook
doesn't execute again.
If I do nmap scan from another IP (e.g. 10.10.2.2) to 10.10.10.10,
occurs same problem: It only detects first time executing Notice::policy.

I would like to change this options but I can't find how to do it.


Thank you and I'm sorry for my English.


More information about the Bro mailing list