[Bro] Scan UDP

Aashish Sharma asharma at lbl.gov
Wed Mar 9 17:12:09 PST 2016 

Nicholas,

If you don't mind sharing your bash script, May be we can look at that and incorporate those logic into this bro script
itself.

Aashish

On Wed, Mar 09, 2016 at 09:44:00PM -0300, Nicolas Macia CESPI wrote:
> 
> Hi Seth, we where using [1] for some time and we found it trigger some
> false positive alerts.
> 
> The problem was detected with NTP and DNS servers with a lot of
> activity. The script alerts that this servers were scanning UDP ports
> when in reality they were responding to requests to their services.
> 
> Today we use an external bash script to determine whether or not it is a
> false positive (using knows udp ports).... not the best solution but it
> works pretty well
> 
> 
> [1] https://github.com/sethhall/bro-junk-drawer/blob/master/scan_udp.bro
> 
> 
> Cheers.
> Nico
> 
> > El 12/02/16 a las 17:00, bro-request at bro.org escribió:
> >> Today's Topics:
> >>
> >>    1. Re: Scan UDP (Seth Hall)
> >>    2. Re: Scan UDP (Forest Monsen)
> >>    3. Re: SHA256 Hash File Analyzer (Shawn Homan)
> >>
> >>
> >> ----------------------------------------------------------------------
> >>
> >> Message: 1
> >> Date: Thu, 11 Feb 2016 15:58:33 -0500
> >> From: Seth Hall <seth at icir.org>
> >> Subject: Re: [Bro] Scan UDP
> >> To: Cristian Daniel Barbaro <cbarbaro at cert.unlp.edu.ar>
> >> Cc: bro at bro.org
> >> Message-ID: <82CCEB61-C63B-49C8-8CDA-35DDB1D05B01 at icir.org>
> >> Content-Type: text/plain; charset=us-ascii
> >>
> >>
> >>> On Feb 11, 2016, at 1:53 PM, Cristian Daniel Barbaro <cbarbaro at cert.unlp.edu.ar> wrote:
> >>>
> >>> Bro implements this scan type detect?
> >> There is a prototype script that we put together a while ago that detects UDP scans.  If you run it, I'd love to get any feedback that you have.
> >> 	https://github.com/sethhall/bro-junk-drawer/blob/master/scan_udp.bro
> >>
> >>   .Seth
> >>
> 
> -----
> CeSPI   
> Centro Superior para el Procesamiento de la Información
> 
> Universidad Nacional de La Plata
> -------------------------------------------------------------------------------
> Proteja el Medioambiente. No imprima este mail si no es absolutamente necesario
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list