[Bro] Port Scanning Detection advice

Johanna Amann johanna at icir.org
Mon Mar 7 17:13:00 PST 2016


Hello Graham,

On Mon, Mar 07, 2016 at 10:56:33PM +0000, Graham Bridgeland wrote:
> Wondering if anyone could shed some light on the best way to handle port
> scanning tasks within Bro. I'm particularly interested in creating a
> basic script to react when a threshold is met i.e. when X attacks are
> detected within a Y time window. Courting the attacks is fine but its
> how to relate to the time window I'm stuck on. With a start and end time
> I can create a duration but as time is continuous I don't know the best
> method to decide when to start and when to stop.

> I'm studying the scan.bro from the \misc folder but can't work out how
> it handles this time-window dilemma. Are there basic notes on these
> scripts other than the comments with them? Not sure if anyone can help
> but thought I'd ask.

The way that this is done in Bro currently is quite basic. The short
answer is - we don't handle the time-window dilemma. The long answer is -
scan.bro uses the Summary Statistics Framework
(https://www.bro.org/sphinx/frameworks/sumstats.html). SumStats allows you
to easily count things that are going on and set thresholds, etc. At the
moment, these thresholds are epoch-based - you give SumStats a period of
time during which you want to check the thresholds (e.g., one hour, a day,
etc). If a threshold is reached during that time period, the callback
function is called.

After an epoch passed, all counters are reset to zero and counting starts
from the beginning. There is currently no additional handling of time
windows. So - currently the decision on where exactly these windows are is
based on the startup time of Bro

Johanna


More information about the Bro mailing list