[Bro] Scanned Unique Host
Johanna Amann
johanna at icir.org
Thu Dec 28 12:40:52 PST 2017
> This has come up a few times.. What do you think of the idea of adding a tags field to conn.log like http.log has?
That might be a good idea - even though I am always a bit hesitant to add
new fields to conn.log. One small drawback is that this approach will
always only mark future connections as scan connections - all the ones
that actually caused something to be recognized as scanning activity will
probably already have been logged into conn.log (and we don't actually
have the connection UIDs - at least at the moment).
So - adding a sample of IPs might still make sense. Or even make more
sense in this case.
Johanna
More information about the Bro
mailing list