Scan UDP

Cristian_Barbaro · February 11, 2016, 6:53pm

Hi, Community.

i'm testing UDP ports scans with Nmap but Bro doesn't detect this scan
type.

Bro implements this scan type detect?

I'm using hooks (Scan::addr_scan_policy Scan::port_scan_policy) to
generate logs, with UDP the logs remain empty.
However, the UDP connections was stored in conn.log.

Thanks and sorry for my english.

Seth_Hall3 · February 11, 2016, 8:58pm

There is a prototype script that we put together a while ago that detects UDP scans. If you run it, I'd love to get any feedback that you have.
https://github.com/sethhall/bro-junk-drawer/blob/master/scan_udp.bro

.Seth

Forest_Monsen · February 11, 2016, 10:48pm

I like this script and am using it in production. The *nix traceroute
utility does trigger it, because it uses the sequential UDP port numbers
by default instead of ICMP... so I would like to exclude those.

Best,
Forest

Topic		Replies	Views
Scan UDP Zeek	4	96	May 6, 2022
scan.bro and missing log entries Zeek	12	126	May 6, 2022
Scan ports doubt Zeek	3	106	May 6, 2022
Question about port scan detection and raising alarms Zeek	2	328	May 6, 2022
How to configure Bro to detect UDP port 53 Zeek	1	142	May 6, 2022

Scan UDP

Related topics