[Bro] Scanned Unique Host
Azoff, Justin S
jazoff at illinois.edu
Thu Dec 28 12:53:29 PST 2017
> On Dec 28, 2017, at 3:40 PM, Johanna Amann <johanna at icir.org> wrote:
>
>> This has come up a few times.. What do you think of the idea of adding a tags field to conn.log like http.log has?
>
> That might be a good idea - even though I am always a bit hesitant to add
> new fields to conn.log. One small drawback is that this approach will
> always only mark future connections as scan connections - all the ones
> that actually caused something to be recognized as scanning activity will
> probably already have been logged into conn.log (and we don't actually
> have the connection UIDs - at least at the moment).
Yeah.. I don't really want to add a new field either, but I think it could be useful in a few places.
Maybe I just need to come up with a handful first :-)
I thought it would work fine for scans.. all my scan.bro does is this:
event connection_attempt(c: connection)
{
if ( c$history == "S" )
add_scan(c$id);
}
event connection_rejected(c: connection)
{
if ( c$history == "Sr" )
add_scan(c$id);
}
So as long as I could add to c$conn$tags from those 2 events before the log is written, it would work.
> So - adding a sample of IPs might still make sense. Or even make more
> sense in this case.
I was thinking about doing that, but the only good place I know of to put a lot of info is in email_body_sections, and that doesn't make it to the notice.log
—
Justin Azoff
More information about the Bro
mailing list