[Bro] Scanned Unique Host
Azoff, Justin S
jazoff at illinois.edu
Thu Dec 28 08:45:19 PST 2017
> On Dec 28, 2017, at 10:47 AM, Johanna Amann <johanna at icir.org> wrote:
>
> Hi,
>
> typically the only way to do this is to look into conn.log; it might be
> possible to add that information using the SAMPLE or LAST SumStat
> reducers; however that will require modifying scans.bro.
>
> Johanna
This has come up a few times.. What do you think of the idea of adding a tags field to conn.log like http.log has?
The sql injection script makes good use of this:
if ( match_sql_injection_uri in unescaped_URI )
{
add c$http$tags[URI_SQLI];
SumStats::observe("http.sqli.attacker", [$host=c$id$orig_h], [$str=original_URI]);
SumStats::observe("http.sqli.victim", [$host=c$id$resp_h], [$str=original_URI]);
}
But there's no corresponding c$conn$tags
Adding SCAN to c$conn$tags would make it easy to figure things out after the fact.
—
Justin Azoff
More information about the Bro
mailing list