Is there a way to view which host were scanned when receiving a notice for the scan.bro script? We have been receiving a lot of notices lately for “x.x.x.x scanned at least X unique hosts on port X in Xtime”. I cannot seem to find a good way to determine which host were scanned by the host machine.
typically the only way to do this is to look into conn.log; it might be
possible to add that information using the SAMPLE or LAST SumStat
reducers; however that will require modifying scans.bro.
This has come up a few times.. What do you think of the idea of adding a tags field to conn.log like http.log has?
That might be a good idea - even though I am always a bit hesitant to add
new fields to conn.log. One small drawback is that this approach will
always only mark future connections as scan connections - all the ones
that actually caused something to be recognized as scanning activity will
probably already have been logged into conn.log (and we don't actually
have the connection UIDs - at least at the moment).
So - adding a sample of IPs might still make sense. Or even make more
sense in this case.
This has come up a few times.. What do you think of the idea of adding a tags field to conn.log like http.log has?
That might be a good idea - even though I am always a bit hesitant to add
new fields to conn.log. One small drawback is that this approach will
always only mark future connections as scan connections - all the ones
that actually caused something to be recognized as scanning activity will
probably already have been logged into conn.log (and we don't actually
have the connection UIDs - at least at the moment).
Yeah.. I don't really want to add a new field either, but I think it could be useful in a few places.
Maybe I just need to come up with a handful first
I thought it would work fine for scans.. all my scan.bro does is this:
So as long as I could add to c$conn$tags from those 2 events before the log is written, it would work.
So - adding a sample of IPs might still make sense. Or even make more
sense in this case.
I was thinking about doing that, but the only good place I know of to put a lot of info is in email_body_sections, and that doesn't make it to the notice.log