[Bro] Scan ports doubt
Azoff, Justin S
jazoff at illinois.edu
Tue Dec 15 14:27:50 PST 2015
Duplicate notices are suppressed so that you don't get notified about the same event over and over again.
Try something like this in your local.bro
redef Notice::type_suppression_intervals += {
[Scan::Port_Scan] = 60sec,
[Scan::Address_Scan] = 60sec,
};
--
- Justin Azoff
> On Dec 15, 2015, at 5:10 PM, Cristian Barbaro <cbarbaro at cert.unlp.edu.ar> wrote:
>
> Hello, Community.
>
> I've a problem with scan ports:
>
> I'm working on a script to detect ports scan (horizontal and
> vertical) using scan.bro script and I send email when detected. I've a
> question with Notice::policy executions times.
> I do a scan to IP's ports (e.g. 10.10.10.10) from a specific IP (e.g.
> 10.10.1.2). If scan detected first time, send email, but if I do another
> scan to same IP (10.10.10.10) from 10.10.1.2, Notice::policy hook
> doesn't execute again.
> If I do nmap scan from another IP (e.g. 10.10.2.2) to 10.10.10.10,
> occurs same problem: It only detects first time executing Notice::policy.
>
> I would like to change this options but I can't find how to do it.
>
>
> Thank you and I'm sorry for my English.
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list