not detect {big} scan with scan analyser

Zeek
1

Hi,

Im use bro 09a[3-4-5] on freebsd v4.10R,

bro not detect this scan, (joigned pcap/gz file)

with default policy,

but in conn.log file :

1085375478.746540 0.000008 128.173.231.31 62.23.34.167 smtp 3618 25 tcp ? ? REJ X
1085375479.331791 0.000003 128.173.231.31 62.23.34.167 smtp 3618 25 tcp ? ? REJ X
1085375481.138096 ? 128.173.231.31 62.23.34.162 ftp 3565 21 tcp ? ? S0 X
1085375481.138064 ? 128.173.231.31 62.23.34.162 http 3566 80 tcp ? ? S0 X
1085375481.138104 ? 128.173.231.31 62.23.34.162 dns 3567 53 tcp ? ? S0 X
1085375481.138047 ? 128.173.231.31 62.23.34.162 smtp 3568 25 tcp ? ? S0 X
1085375481.138072 ? 128.173.231.31 62.23.34.162 finger 3569 79 tcp ? ? S0 X
...

$ export BROPATH=/c/confL/policy
$ export BRO_DNS_FAKE=1 # disable dns lookup
$ /usr/local/bin/bro09a5_nodns_micro -r scantcp-viginia_edu.tcpdump bro.init mt
-> scan anlyser in mt.bro (@load scan)

Possible help me ?

Regards

Rmkml@Wanadoo.fr

scantcp-virginia_edu.tcpdump.gz (9.5 KB)

2

Hi,

Hi,

Im use bro 09a[3-4-5] on freebsd v4.10R,

bro not detect this scan, (joigned pcap/gz file)

man, please do *not* send snippets of full-packet captures of any site
other than your own private network to a public mailing list! I don't
need to know how you're using these traces but I'm sure the folks from
vetmed.vt.edu don't want to see their traffic dissected in public on the
Internet.

with default policy,

but in conn.log file :

1085375478.746540 0.000008 128.173.231.31 62.23.34.167 smtp 3618 25 tcp ?
? REJ X
1085375479.331791 0.000003 128.173.231.31 62.23.34.167 smtp 3618 25 tcp ?
? REJ X
1085375481.138096 ? 128.173.231.31 62.23.34.162 ftp 3565 21 tcp ? ? S0 X
1085375481.138064 ? 128.173.231.31 62.23.34.162 http 3566 80 tcp ? ? S0 X
1085375481.138104 ? 128.173.231.31 62.23.34.162 dns 3567 53 tcp ? ? S0 X
1085375481.138047 ? 128.173.231.31 62.23.34.162 smtp 3568 25 tcp ? ? S0 X
1085375481.138072 ? 128.173.231.31 62.23.34.162 finger 3569 79 tcp ? ? S0
X
...

export BROPATH=/c/confL/policy export BRO_DNS_FAKE=1 # disable dns lookup
$ /usr/local/bin/bro09a5_nodns_micro -r
scantcp-viginia_edu.tcpdump bro.init mt

Note: you normally do not need to include bro.init separately on the
command line as that's always included (see main.cc).

-> scan anlyser in mt.bro (@load scan)

Possible help me ?

I'm not sure what you're feeding into Bro, but that's not that many
SYNs. I suggest you dig through the scan.bro policy and try to
understand why it decides that it is not a scan -- you'll also *need* to
understand if you want to use the scan analyzer realiable.

Regards,
Christian.

3

Hi list,

sorry for noise,

but last bro version 09a7

not detect any {BIG} scan ....

Regards

Rmkml@Wanadoo.fr