Hi All,
So we had an incident today where an IP got blocked because of doing Address Scan, as reported by Bro.
But when asked to corroborate the activity with actual logs, I couldn’t find the relevant logs or number of distinct IPs the scanner connected to.
To clarify:
Here is the log that reported an Address Scan:
1497360944.102926 Reporter::INFO AddressScan NOTICE 71.162.229.81 has scanned 30 hosts (4282/tcp) manager
But when did a quick grep through the conn logs, only 5 distinct IPs showed up as oppose to 30:
$ zcat conn.09:00:00-10:00:00.log.gz | grep “71.162.229.81” | grep “4282” | awk -F’\t’ ‘{if ($6 == “4282”) print $5}’ | sort | uniq -c | sort -rn
38 128.x.x.x
26 128.y.y.y
20 128.z.z.z
2 128.k.k.k
2 128.j.j.j
Even looked at last all conn logs, but still couldn’t get “30 IPs”, as reported by the notice log:
$ zcat conn.*.log.gz | grep “71.162.229.81” | grep “4282” | awk -F’\t’ ‘{if ($6 == “4282”) print $5}’ | sort | uniq | sort -rn
128.x.x.x
128.y.y.y
128.z.z.z
128.k.k.k
128.j.j.j
Not sure why the numbers don’t match up, also to mention, I am using the check-addressscan.bro script from Scan-NG scripts folder.
Any idea? or if I am interpreting the logs correctly.
Thanks,
Fatema.
Hi All,
So we had an incident today where an IP got blocked because of doing Address Scan, as reported by Bro.
...
Not sure why the numbers don't match up, also to mention, I am using the check-addressscan.bro script from Scan-NG scripts folder.
Any idea? or if I am interpreting the logs correctly.
The tables that it uses are:
global distinct_peers: table[addr] of set[addr]
&read_expire = 1 days &expire_func=scan_sum &redef;
or (depending on mode)
global c_distinct_peers: table[addr] of opaque of cardinality
&default = function(n: any): opaque of cardinality { return hll_cardinality_init(0.1, 0.99); }
&read_expire = 1 day ;
for 30 hosts, the logs related to this scan could go as far back as 30 days.
If the src ip was flagged as scanning one new IP every 12 hours the total length of the scan would be 15 days.
So.. you are probably looking at the right logs, you just did not search far back enough in time.
Thanks Justin, quick search through the data for past 23 days still showed up only 5 IPs, all belonging to today's logs.
Hence, was thinking, that the port/service in the Notice is one of the several services Bro notices an address scan on, and only reports the last one?
or the address scan was actually performed on that service only.
Looking at the script, I think the service port (4282 for ex.) is the port for which Address Scans get reported, but just wanted to verify,
as I still not able to see more than 5 IPs hit on that port by 71.162.229.81.
Ah yes, I see now that you were filtering for the port. The policy counts scans across all ports. You'd need to look for failed connections on any port. You still may have to go back days to find the entire scan though.
Thanks Justin!
When I looked for all ports, excluding “SF” connections from conn log, I did get more than 30 IPs (31 in total).
I think that would be it, causing Bro to mark that IP as Scanning addresses, if I am doing filtering correctly.
$ nice zgrep --no-filename 71.162.229.81 conn.0[8-9]* | egrep -v “SF” | awk -F’\t’ ‘{if ($1 < 1497360944) print $5, $6}’ | sort | uniq -c