[Bro] Scan ports doubt

Azoff, Justin S jazoff at illinois.edu
Tue Dec 15 14:27:50 PST 2015


Duplicate notices are suppressed so that you don't get notified about the same event over and over again.

Try something like this in your local.bro

    redef Notice::type_suppression_intervals += {
        [Scan::Port_Scan]    = 60sec,
        [Scan::Address_Scan] = 60sec,
    };

-- 
- Justin Azoff

> On Dec 15, 2015, at 5:10 PM, Cristian Barbaro <cbarbaro at cert.unlp.edu.ar> wrote:
> 
> Hello, Community.
> 
> I've a problem with scan ports:
> 
>    I'm working on a script to detect ports scan (horizontal and
> vertical) using scan.bro script and I send email when detected. I've a
> question with Notice::policy executions times.
> I do a scan to IP's ports (e.g. 10.10.10.10) from a specific IP (e.g.
> 10.10.1.2). If scan detected first time, send email, but if I do another
> scan to same IP (10.10.10.10) from 10.10.1.2, Notice::policy hook
> doesn't execute again.
> If I do nmap scan from another IP (e.g. 10.10.2.2) to 10.10.10.10,
> occurs same problem: It only detects first time executing Notice::policy.
> 
> I would like to change this options but I can't find how to do it.
> 
> 
> Thank you and I'm sorry for my English.
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro




More information about the Bro mailing list