Scan UDP

Hi Seth, we where using [1] for some time and we found it trigger some
false positive alerts.

The problem was detected with NTP and DNS servers with a lot of
activity. The script alerts that this servers were scanning UDP ports
when in reality they were responding to requests to their services.

Today we use an external bash script to determine whether or not it is a
false positive (using knows udp ports).... not the best solution but it
works pretty well




If you don't mind sharing your bash script, May be we can look at that and incorporate those logic into this bro script


Aashish, you misunderstood me. What we did was not to consider
communications from those ports (NTP & DNS).

I think the problem is that in con.log there are a lot of UDP conections
marked with is_local flag in T when they are not.

I guessed that this is done because of some packets dropped at nids
installation, but netstat -ni does not show any drop or error on the
capture interface.


Ah yes. We saw this behavior with Bluehost recursive DNS. I don't have a
pcap, I'm sorry.