Hi Seth, we where using [1] for some time and we found it trigger some
false positive alerts.
The problem was detected with NTP and DNS servers with a lot of
activity. The script alerts that this servers were scanning UDP ports
when in reality they were responding to requests to their services.
Today we use an external bash script to determine whether or not it is a
false positive (using knows udp ports).... not the best solution but it
works pretty well
[1] https://github.com/sethhall/bro-junk-drawer/blob/master/scan_udp.bro
Cheers.
Nico
Nicholas,
If you don't mind sharing your bash script, May be we can look at that and incorporate those logic into this bro script
itself.
Aashish
Aashish, you misunderstood me. What we did was not to consider
communications from those ports (NTP & DNS).
I think the problem is that in con.log there are a lot of UDP conections
marked with is_local flag in T when they are not.
I guessed that this is done because of some packets dropped at nids
installation, but netstat -ni does not show any drop or error on the
capture interface.
nico
Ah yes. We saw this behavior with Bluehost recursive DNS. I don't have a
pcap, I'm sorry.