hi
the event suppression in Bro does not appear to work the way I thought it would. For example, in my notice.log file, the suppress_for value always appears to be 3600. In misc/scan.bro (loaded in local.bro), addr_scan_interval and port_scan_interval both are set to 5min by default, yet still report 3600 in the suppress_for column of the log. Is there something obvious that I am overlooking?
thanks Martin
port_scan_interval is not the suppression interval:
## Port scans detect that an attacking host appears to be
## scanning a single victim host on several ports. This notice
## is generated when an attacking host attempts to connect to
## :bro:id:`Scan::port_scan_threshold`
## unique ports on a single host over the previous
## :bro:id:`Scan::port_scan_interval` time range.
## Failed connection attempts are tracked over this time interval for
## the port scan detection. A higher interval will detect slower
## scanners, but may also yield more false positives.
If you want to change the suppression interval, use:
redef Notice::type_suppression_intervals += {
[Scan::Port_Scan] = 300sec,
[Scan::Address_Scan] = 300sec,
};