[Bro] intel.log file stops getting generated.
Azoff, Justin S
jazoff at illinois.edu
Wed Jan 25 11:42:19 PST 2017
> On Jan 25, 2017, at 2:06 PM, fatema bannatwala <fatema.bannatwala at gmail.com> wrote:
>
> Thanks Justin for suggesting some tools :-) will try those (Maybe Munin first)
>
> Here's the output of the cmds:
>
> $ wc -l conn.log
> 12913751 conn.log
>
> $ cat conn.log|bro-cut id.resp_p |fgrep -cw 23
> 3
>
> $ cat conn.log|bro-cut history|sort|uniq -c |sort -rn|head
> 4230547 S
> 2938925 Dd
> 1059285 ShADadFf
> 968902 ShADadfF
> 915401 D
> 212507 ShAFf
> 177731 SAF
> 177359 ShADadFfR
> 159024 ShADadfFr
> 140911 ShADdaFf
Interesting, you're not seeing port 23 scans, but you are seeing a lot of scans.. 1/3 of your connections are unanswered Syn packets.
This would show what port is being scanned:
cat conn.log |bro-cut id.resp_p history|fgrep -w S|sort|uniq -c|sort -nr|head
Disabling scan.bro would likely help a lot.
--
- Justin Azoff
More information about the Bro
mailing list