Scan UDP

Nicolas_Macia_CESPI · March 10, 2016, 12:44am

Hi Seth, we where using [1] for some time and we found it trigger some
false positive alerts.

The problem was detected with NTP and DNS servers with a lot of
activity. The script alerts that this servers were scanning UDP ports
when in reality they were responding to requests to their services.

Today we use an external bash script to determine whether or not it is a
false positive (using knows udp ports).... not the best solution but it
works pretty well

[1] https://github.com/sethhall/bro-junk-drawer/blob/master/scan_udp.bro

Cheers.
Nico

Aashish_Sharma1 · March 10, 2016, 1:12am

Nicholas,

If you don't mind sharing your bash script, May be we can look at that and incorporate those logic into this bro script
itself.

Aashish

Nicolas_Macia_CESPI · March 11, 2016, 8:09pm

Aashish, you misunderstood me. What we did was not to consider
communications from those ports (NTP & DNS).

I think the problem is that in con.log there are a lot of UDP conections
marked with is_local flag in T when they are not.

I guessed that this is done because of some packets dropped at nids
installation, but netstat -ni does not show any drop or error on the
capture interface.

nico

Forest_Monsen · March 11, 2016, 10:53pm

Ah yes. We saw this behavior with Bluehost recursive DNS. I don't have a
pcap, I'm sorry.

Topic		Replies	Views
Scan UDP Zeek	3	97	May 6, 2022
scan.bro and missing log entries Zeek	12	125	May 6, 2022
Modbus protocol event handler for Bro Zeek	2	104	May 6, 2022
Bro and port scan Zeek	1	97	May 6, 2022
Follow up on invoking the "protocol_confirmation" event Zeek	5	83	May 6, 2022

Scan UDP

Related topics