[Bro] AddressScan numbers and actual log number mismatch?
Azoff, Justin S
jazoff at illinois.edu
Tue Jun 13 14:51:51 PDT 2017
> On Jun 13, 2017, at 5:28 PM, fatema bannatwala <fatema.bannatwala at gmail.com> wrote:
>
> Hi All,
>
> So we had an incident today where an IP got blocked because of doing Address Scan, as reported by Bro.
>
...
>
> Not sure why the numbers don't match up, also to mention, I am using the check-addressscan.bro script from Scan-NG scripts folder.
>
> Any idea? or if I am interpreting the logs correctly.
The tables that it uses are:
global distinct_peers: table[addr] of set[addr]
&read_expire = 1 days &expire_func=scan_sum &redef;
or (depending on mode)
global c_distinct_peers: table[addr] of opaque of cardinality
&default = function(n: any): opaque of cardinality { return hll_cardinality_init(0.1, 0.99); }
&read_expire = 1 day ;
for 30 hosts, the logs related to this scan could go as far back as 30 days.
If the src ip was flagged as scanning one new IP every 12 hours the total length of the scan would be 15 days.
So.. you are probably looking at the right logs, you just did not search far back enough in time.
--
- Justin Azoff
More information about the Bro
mailing list