[Bro] Port Scanning Detection advice
Lizzie Chandler
belongtorobby at gmail.com
Mon Mar 7 16:13:21 PST 2016
I saw the original question sent in, and I am / was interested in the same.
The given response has left me more than a bit befuddled.
Clarification?
On Mar 7, 2016 6:12 PM, "Lizzie Chandler" <belongtorobby at gmail.com> wrote:
> I saw the original question sent in, and I am / was interested in the same.
>
> The given response has left me more than a not befuddled.
>
> Clarification?
> On Mar 7, 2016 5:04 PM, "Graham Bridgeland" <grahambridgeland at yahoo.co.uk>
> wrote:
>
>> Hello
>>
>> Wondering if anyone could shed some light on the best way to handle port
>> scanning tasks within Bro. I'm particularly interested in creating a basic
>> script to react when a threshold is met i.e. when X attacks are detected
>> within a Y time window. Courting the attacks is fine but its how to relate
>> to the time window I'm stuck on. With a start and end time I can create a
>> duration but as time is continuous I don't know the best method to decide
>> when to start and when to stop.
>>
>> I'm studying the scan.bro from the \misc folder but can't work out how it
>> handles this time-window dilemma. Are there basic notes on these scripts
>> other than the comments with them? Not sure if anyone can help but thought
>> I'd ask.
>>
>> Thanks
>> Graham
>>
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160307/75403ff4/attachment.html
More information about the Bro
mailing list