[Bro] intel.log file stops getting generated.
fatema bannatwala
fatema.bannatwala at gmail.com
Wed Jan 25 13:23:04 PST 2017
Ah, makes sense, yes port 23 is getting blocked at the border, hence Bro
wouldn't be seeing any traffic to port 23... :)
Disabled the scan.bro file. Is there any other script(s) that can be used
in place of scan.bro , i.e scan-NG would also have same effect as well?
Thanks Justin for the help to troubleshoot the issue, will keep an eye on
the sensors for any performance hit for next 24 hours.
On Wed, Jan 25, 2017 at 4:13 PM, Azoff, Justin S <jazoff at illinois.edu>
wrote:
>
> > On Jan 25, 2017, at 3:29 PM, fatema bannatwala <
> fatema.bannatwala at gmail.com> wrote:
> >
> > Thanks Justin!
> >
> > Happening again, no intel.log file getting generated (I don't know why
> poor intel file getting impacted, n not any other log file :-/ )
> >
> > Here's the stats (before I go ahead and disable scan.bro, and restart
> the cluster)
> > $ cat conn.log |bro-cut id.resp_p history|fgrep -w S|sort|uniq -c|sort
> -nr|head
> > 398587 2323 S
> > 256953 5358 S
> > 205109 7547 S
> > 115442 6789 S
> > 101712 22 S
> > 97051 81 S
> > 90099 5800 S
> > 44297 40884 S
> > 43943 40876 S
> > 35522 80 S
>
> Ah.. that looks about right for the constant flood of IoT Scan crap. Are
> you filtering port 23 before bro can see it? 23 would be about 10x the
> volume of 2323.
>
>
> --
> - Justin Azoff
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170125/be53a509/attachment.html
More information about the Bro
mailing list