I’ve been playing with notice alerts and was wondering if it’s possible to get the alert below to show the unique hosts that it scanned. If not possible via an alert, what would be the best way in Bro to find these hosts? Thanks!
Message: 192.168.xxx.xxx scanned at least 27 unique hosts on port 80/tcp in 1m56s
Originally only replied to Damon, wanted to make sure the rest of the list caught this too in case anyone else had a similar question …
There are a couple ways to get the hosts in your notice, but both require modifying the scan.bro script-- if you want to capture all of the victim hosts, then you can add the victims to a table as the data is being sent to Sumstats ( SumStats::observe(“scan.addr.fail” … ); if you want a random sample of the victim hosts, then you can add the Sumstats sample measurement to the reducer ( detect-sqli.bro has an example of this ). The latter won’t give you all the scanned hosts, but it’d be easier and cleaner to implement in the script.
The easiest way to check w/o editing any scripts or altering the notice is to bro-cut your http.log and fgrep for the scanner IP connecting to hosts on port 80.
+1 to what Josh said, but I'll just add two points:
- Adding the full set of victim hosts will drastically increase the memory usage. scan.bro can already be fairly memory intensive on a large network (depending on how populated your IP space is, where exactly Bro is inspecting the traffic, etc.) This trade-off might be worth it to you, just wanted to point it out.
- While with the sampling approach the samples are randomized, they are also statistically significant. That means that if an attacker scans 1000 ports on host A, and one port on another 10 hosts, host A would be the one to show up in the sample. (I'm oversimplifying things here, for more information see: http://en.wikipedia.org/wiki/Reservoir_sampling)