[Bro] Scanned Unique Host

Zeolla@GMail.com zeolla at gmail.com
Thu Dec 28 17:02:12 PST 2017 

Would https://github.com/JonZeolla/scan-sampling do what you're looking
for?  It's in bro-pkg as well.

Jon

On Thu, Dec 28, 2017, 15:55 Azoff, Justin S <jazoff at illinois.edu> wrote:

>
> > On Dec 28, 2017, at 3:40 PM, Johanna Amann <johanna at icir.org> wrote:
> >
> >> This has come up a few times.. What do you think of the idea of adding
> a tags field to conn.log like http.log has?
> >
> > That might be a good idea - even though I am always a bit hesitant to add
> > new fields to conn.log. One small drawback is that this approach will
> > always only mark future connections as scan connections - all the ones
> > that actually caused something to be recognized as scanning activity will
> > probably already have been logged into conn.log (and we don't actually
> > have the connection UIDs - at least at the moment).
>
> Yeah.. I don't really want to add a new field either, but I think it could
> be useful in a few places.
> Maybe I just need to come up with a handful first :-)
>
> I thought it would work fine for scans.. all my scan.bro does is this:
>
> event connection_attempt(c: connection)
>     {
>     if ( c$history == "S" )
>         add_scan(c$id);
>     }
>
> event connection_rejected(c: connection)
>     {
>     if ( c$history == "Sr" )
>         add_scan(c$id);
>     }
>
> So as long as I could add to c$conn$tags from those 2 events before the
> log is written, it would work.
>
>
> > So - adding a sample of IPs might still make sense. Or even make more
> > sense in this case.
>
> I was thinking about doing that, but the only good place I know of to put
> a lot of info is in email_body_sections, and that doesn't make it to the
> notice.log
>
>
>
>> Justin Azoff
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-- 

Jon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20171229/cb13e0a9/attachment.html

More information about the Bro mailing list