Port Scanning Detection advice

Hello

Wondering if anyone could shed some light on the best way to handle port scanning tasks within Bro. I’m particularly interested in creating a basic script to react when a threshold is met i.e. when X attacks are detected within a Y time window. Courting the attacks is fine but its how to relate to the time window I’m stuck on. With a start and end time I can create a duration but as time is continuous I don’t know the best method to decide when to start and when to stop.

I’m studying the scan.bro from the \misc folder but can’t work out how it handles this time-window dilemma. Are there basic notes on these scripts other than the comments with them? Not sure if anyone can help but thought I’d ask.

Thanks
Graham

Are you aware of this law computer FRAUD and abuse ACT.?

Updated you earlier in regards to this item also there are some new things added to it be advised further.

Thanks again for all the best regards. To address ING this FOOLISH for OF misinformation whichever angle they try to create is covered should be resolved as soon as possible to get them wrong bits out of the way.

I saw the original question sent in, and I am / was interested in the same.

The given response has left me more than a not befuddled.

Clarification?

I saw the original question sent in, and I am / was interested in the same.

The given response has left me more than a bit befuddled.

Clarification?

Hello Graham,

Wondering if anyone could shed some light on the best way to handle port
scanning tasks within Bro. I'm particularly interested in creating a
basic script to react when a threshold is met i.e. when X attacks are
detected within a Y time window. Courting the attacks is fine but its
how to relate to the time window I'm stuck on. With a start and end time
I can create a duration but as time is continuous I don't know the best
method to decide when to start and when to stop.

I'm studying the scan.bro from the \misc folder but can't work out how
it handles this time-window dilemma. Are there basic notes on these
scripts other than the comments with them? Not sure if anyone can help
but thought I'd ask.

The way that this is done in Bro currently is quite basic. The short
answer is - we don't handle the time-window dilemma. The long answer is -
scan.bro uses the Summary Statistics Framework
(https://www.bro.org/sphinx/frameworks/sumstats.html). SumStats allows you
to easily count things that are going on and set thresholds, etc. At the
moment, these thresholds are epoch-based - you give SumStats a period of
time during which you want to check the thresholds (e.g., one hour, a day,
etc). If a threshold is reached during that time period, the callback
function is called.

After an epoch passed, all counters are reset to zero and counting starts
from the beginning. There is currently no additional handling of time
windows. So - currently the decision on where exactly these windows are is
based on the startup time of Bro

Johanna