[Bro] event suppression
Azoff, Justin S
jazoff at illinois.edu
Tue Feb 16 06:56:18 PST 2016
port_scan_interval is not the suppression interval:
## Port scans detect that an attacking host appears to be
## scanning a single victim host on several ports. This notice
## is generated when an attacking host attempts to connect to
## :bro:id:`Scan::port_scan_threshold`
## unique ports on a single host over the previous
## :bro:id:`Scan::port_scan_interval` time range.
## Failed connection attempts are tracked over this time interval for
## the port scan detection. A higher interval will detect slower
## scanners, but may also yield more false positives.
If you want to change the suppression interval, use:
redef Notice::type_suppression_intervals += {
[Scan::Port_Scan] = 300sec,
[Scan::Address_Scan] = 300sec,
};
--
- Justin Azoff
> On Feb 16, 2016, at 9:50 AM, Martin Arlitt <martin.arlitt at ucalgary.ca> wrote:
>
> hi
>
> the event suppression in Bro does not appear to work the way I thought
> it would. For example, in my notice.log file, the suppress_for value
> always appears to be 3600. In misc/scan.bro (loaded in local.bro),
> addr_scan_interval and port_scan_interval both are set to 5min by
> default, yet still report 3600 in the suppress_for column of the log. Is
> there something obvious that I am overlooking?
>
> thanks Martin
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list