[Bro] Port Scanning Detection advice
Lizzie Chandler
belongtorobby at gmail.com
Mon Mar 7 16:12:28 PST 2016
I saw the original question sent in, and I am / was interested in the same.
The given response has left me more than a not befuddled.
Clarification?
On Mar 7, 2016 5:04 PM, "Graham Bridgeland" <grahambridgeland at yahoo.co.uk>
wrote:
> Hello
>
> Wondering if anyone could shed some light on the best way to handle port
> scanning tasks within Bro. I'm particularly interested in creating a basic
> script to react when a threshold is met i.e. when X attacks are detected
> within a Y time window. Courting the attacks is fine but its how to relate
> to the time window I'm stuck on. With a start and end time I can create a
> duration but as time is continuous I don't know the best method to decide
> when to start and when to stop.
>
> I'm studying the scan.bro from the \misc folder but can't work out how it
> handles this time-window dilemma. Are there basic notes on these scripts
> other than the comments with them? Not sure if anyone can help but thought
> I'd ask.
>
> Thanks
> Graham
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160307/e349586d/attachment.html
More information about the Bro
mailing list