Can you send
me a trace of one of these scans? (Just TCP control
packets is fine if there's content you can't pass on).
We have a free copy of splunk indexing the /usr/local/bro/logs/*
files. Using splunk provides an easy way to retrieve data from all
of the BRO files - conn, notice, info, etc. Tim Rupp did this. He's
available for hire!
I saw an outbound scan report today and used this splunk command ...
To figure this out, we really need a raw trace. The reason is the appearance
of a bunch of connections with state given as "OTH". Those reflect a
non-standard connection establishment (often due to Bro missing the beginning
of the connection, or multi-pathing, or the packet filter reordering SYNs
with SYN ACKs), which are probably what's confusing the scan detector about
the direction of the activity.
You can anonymize a raw trace using ipsumdump -A. Alternatively, you
could run Bro on it using "record_state_history=T" at the command line
to turn on connection state history tracking, which would probably let us
infer what's going on.