[Bro] [bro] Scanning IP's

Tim Desrochers tgdesrochers at gmail.com
Sun Feb 14 03:14:25 PST 2016 

As with every infrastructure I am plagued with people scanning my external
edge.  I see little value in getting notices for scanning attempts and
password guessing attempts but I do see value in running monthly reports
and generating blocklists based on repeat offenders.

Is there a way to tell the notice framework to only create alarms (emails)
if it sees scans of any kind (address, port, password guessing, etc) if
they are from the IP's in my $HOME_NET defined in network.cfg?

Justification, If I

redef Notice::ignored_types += {
  SSH::Password_Guessing,
  Scan::Address_Scan,
  Scan::Port_Scan,
  HTTP::SQL_Injection_Attacker,
  ShellShock::Scanner,
  ScanUDP::Address_Scan,
  ScanUDP::Port_Scan,
};

Then I get no logging of the events anywhere.  Therefore I can't run
reports of offenders and build active blocklists or other intel gathering
activities.

If I:

# Set rule to only email specific notice types:
redef Notice::emailed_types += {
  Weird::Activity,
  Signatures::Sensitive_Signature,
  Signatures::Multiple_Signatures,
  Signatures::Multiple_Sig_Responders,
  Signatures::Count_Signature,
  Intel::Notice,
  TeamCymruMalwareHashRegistry::Match,
  Traceroute::Detected,
  FTP::Bruteforcing,
  FTP::Site_Exec_Success,
  HTTP::SQL_Injection_Victim,
  SMTP::Blocklist_Error_Message,
  SMTP::Blocklist_Blocked_Host,
  SMTP::Suspicious_Origination,
  SSH::Login_By_Password_Guesser,
  SSH::Interesting_Hostname_Login,
};

Then I get flooded with email from any of the guessing activity (Side note:
I find that the above logic doesn't restrict email notices to just those
listed in the defined email types above.  I still get plenty of notices
about events not listed in the list above).  If the redef
Notice::emailed_types worked it would be a start but I'd still like to get
emails about IP addresses in my internal net getting scanned by other IP's
in my internal net, that definitely an indicator of unwanted behavior.

Any assistance would be greatly appreciated.  Just trying to tune things to
a manageable level.

Thanks
Tim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160214/870a4c41/attachment.html

More information about the Bro mailing list