i'm testing UDP ports scans with Nmap but Bro doesn't detect this scan
Bro implements this scan type detect?
I'm using hooks (Scan::addr_scan_policy Scan::port_scan_policy) to
generate logs, with UDP the logs remain empty.
However, the UDP connections was stored in conn.log.
Thanks and sorry for my english.
There is a prototype script that we put together a while ago that detects UDP scans. If you run it, I'd love to get any feedback that you have.
I like this script and am using it in production. The *nix traceroute
utility does trigger it, because it uses the sequential UDP port numbers
by default instead of ICMP... so I would like to exclude those.