how use scan analyzer ?

_rmkml · June 18, 2004, 12:29pm

Hi,

Im use bro v0.9a2

on fbsd v4.9r

I run bro with :

/usr/local/bin/bro09a2_nodns -i fxp1 bro.init mt http-request http-reply

but I don't have scan detect

and I don't have scan.log.

I have log.log, http.log, ftp.log, weird.log.

I have tested with policy/scan.bro : 25 -> 5

const possible_port_scan_thresh = 5 &redef;

but no result.

Normaly, scan analyzer is loaded on mt.bro policy. (default)

I have added scan in start cmd :
/usr/local/bin/bro09a2_nodns -i fxp1 bro.init mt http-request http-reply scan

Possible help me ?

I have second question,
How searching old email on bro list ?
url ?

Regards

Rmkml@Wanadoo.fr

PS: prelude and snort detect scan, yes I run scan test, and receive scan ...

_rmkml · June 18, 2004, 5:54pm

Hi again,

update my question because found this :

$ grep -i scan *.log
alert.log:1087576751.844694 ScanSummary myip.163 scanned a total of 0 hosts
log.log:1087576751.844694 ScanSummary myip.163 scanned a total of 0 hosts

[my range is .162-190]

strange,
because I found in alert|log.log in last event. (after ctrl+c
bro proc)
and no others scan event.

Regards

Rmkml@Wanadoo.fr

Topic		Replies	Views
not detect {big} scan with scan analyser Zeek	3	122	May 6, 2022
can't get the http analyzer to print anything Zeek	3	84	May 6, 2022
Question about port scan detection and raising alarms Zeek	2	325	May 6, 2022
Question about scan whitelisting ... Zeek	1	67	May 6, 2022
Using Bro IDS in offline analysis Zeek	3	90	May 6, 2022

how use scan analyzer ?

Related topics