[Bro] Scan UDP
Nicolas Macia CESPI
nmacia at cespi.unlp.edu.ar
Fri Mar 11 12:09:35 PST 2016
Aashish, you misunderstood me. What we did was not to consider
communications from those ports (NTP & DNS).
I think the problem is that in con.log there are a lot of UDP conections
marked with is_local flag in T when they are not.
I guessed that this is done because of some packets dropped at nids
installation, but netstat -ni does not show any drop or error on the
capture interface.
nico
El 09/03/16 a las 22:12, Aashish Sharma escribió:
> Nicholas,
>
> If you don't mind sharing your bash script, May be we can look at that and incorporate those logic into this bro script
> itself.
>
> Aashish
>
> On Wed, Mar 09, 2016 at 09:44:00PM -0300, Nicolas Macia CESPI wrote:
>> Hi Seth, we where using [1] for some time and we found it trigger some
>> false positive alerts.
>>
>> The problem was detected with NTP and DNS servers with a lot of
>> activity. The script alerts that this servers were scanning UDP ports
>> when in reality they were responding to requests to their services.
>>
>> Today we use an external bash script to determine whether or not it is a
>> false positive (using knows udp ports).... not the best solution but it
>> works pretty well
>>
>>
>> [1] https://github.com/sethhall/bro-junk-drawer/blob/master/scan_udp.bro
>>
>>
>> Cheers.
>> Nico
>>
>>> El 12/02/16 a las 17:00, bro-request at bro.org escribió:
>>>> Today's Topics:
>>>>
>>>> 1. Re: Scan UDP (Seth Hall)
>>>> 2. Re: Scan UDP (Forest Monsen)
>>>> 3. Re: SHA256 Hash File Analyzer (Shawn Homan)
>>>>
>>>>
>>>> ----------------------------------------------------------------------
>>>>
>>>> Message: 1
>>>> Date: Thu, 11 Feb 2016 15:58:33 -0500
>>>> From: Seth Hall <seth at icir.org>
>>>> Subject: Re: [Bro] Scan UDP
>>>> To: Cristian Daniel Barbaro <cbarbaro at cert.unlp.edu.ar>
>>>> Cc: bro at bro.org
>>>> Message-ID: <82CCEB61-C63B-49C8-8CDA-35DDB1D05B01 at icir.org>
>>>> Content-Type: text/plain; charset=us-ascii
>>>>
>>>>
>>>>> On Feb 11, 2016, at 1:53 PM, Cristian Daniel Barbaro <cbarbaro at cert.unlp.edu.ar> wrote:
>>>>>
>>>>> Bro implements this scan type detect?
>>>> There is a prototype script that we put together a while ago that detects UDP scans. If you run it, I'd love to get any feedback that you have.
>>>> https://github.com/sethhall/bro-junk-drawer/blob/master/scan_udp.bro
>>>>
>>>> .Seth
>>>>
>> -----
>> CeSPI
>> Centro Superior para el Procesamiento de la Información
>>
>> Universidad Nacional de La Plata
>> -------------------------------------------------------------------------------
>> Proteja el Medioambiente. No imprima este mail si no es absolutamente necesario
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-----
CeSPI
Centro Superior para el Procesamiento de la Información
Universidad Nacional de La Plata
-------------------------------------------------------------------------------
Proteja el Medioambiente. No imprima este mail si no es absolutamente necesario
More information about the Bro
mailing list