Hello!
I wonder, is the port scan detection functionality present in bro 2.0,
and if it is, how to enable it?
I am starting bro with scripts/test-all-policy.bro, which should (I
suppose) enable all built-in analyzers, then perform a standart nmap SYN
scan of the host running bro. After that, I shutdown bro and examine the
results.
However, nothing related to scanning is shown in notice.log, and the
alarm.log even doesn't get created. Am I missing some important steps here?
I'm running bro directly via cli: bro -i eth0 scripts/test-all-policy.bro
As a side question: what is the easiest way to test bro's
alarm-triggering? What I need is a sample pcap file (or some kind of
instructions), which will trigger alarms in a default bro configuration
(freshly-build bro run with scripts that are distributed with bro itself).
You can download scan.bro from there, put it into your site directory,
and then load it from local.bro. The script hasn't seen much testing
yet, but it's basically the 1.5 version with a few little pieces
updated to the 2.0 API changes.
As a side question: what is the easiest way to test bro's
alarm-triggering?
The easiest way would be without any trace at all, just some lines of
script code directly triggering an alarm. There are a few tests in the
test suite which do that. Try this: