Re: [Bro] inbound PortScans that aren't really...

10 Oct 2007

...
   Can you send
me a trace of one of these scans? (Just TCP control
 packets is fine if there's content you can't pass on).  ...
 We have a free copy of splunk indexing the /usr/local/bro/logs/*  
 files.  Using splunk provides an easy way to retrieve data from all  
 of the BRO files - conn, notice, info, etc.  Tim Rupp did this.  He's  
 available for hire!

 I saw an outbound scan report today and used this splunk command ... 
To figure this out, we really need a raw trace.  The reason is the appearance
of a bunch of connections with state given as "OTH".  Those reflect a
non-standard connection establishment (often due to Bro missing the beginning
of the connection, or multi-pathing, or the packet filter reordering SYNs
with SYN ACKs), which are probably what's confusing the scan detector about
the direction of the activity.

You can anonymize a raw trace using ipsumdump -A.  Alternatively, you
could run Bro on it using "record_state_history=T" at the command line
to turn on connection state history tracking, which would probably let us
infer what's going on.

		Vern

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

Re: [Bro] inbound PortScans that aren't really...