Hi,
Is there a way to view which host were scanned when receiving a notice for the scan.bro script? We have been receiving a lot of notices lately for “x.x.x.x scanned at least X unique hosts on port X in Xtime”. I cannot seem to find a good way to determine which host were scanned by the host machine.
Thanks,
Hi,
typically the only way to do this is to look into conn.log; it might be
possible to add that information using the SAMPLE or LAST SumStat
reducers; however that will require modifying scans.bro.
Johanna
This has come up a few times.. What do you think of the idea of adding a tags field to conn.log like http.log has?
The sql injection script makes good use of this:
if ( match_sql_injection_uri in unescaped_URI )
{
add c$http$tags[URI_SQLI];
SumStats::observe("http.sqli.attacker", [$host=c$id$orig_h], [$str=original_URI]);
SumStats::observe("http.sqli.victim", [$host=c$id$resp_h], [$str=original_URI]);
}
But there's no corresponding c$conn$tags
Adding SCAN to c$conn$tags would make it easy to figure things out after the fact.
This has come up a few times.. What do you think of the idea of adding a tags field to conn.log like http.log has?
That might be a good idea - even though I am always a bit hesitant to add
new fields to conn.log. One small drawback is that this approach will
always only mark future connections as scan connections - all the ones
that actually caused something to be recognized as scanning activity will
probably already have been logged into conn.log (and we don't actually
have the connection UIDs - at least at the moment).
So - adding a sample of IPs might still make sense. Or even make more
sense in this case.
Johanna
This has come up a few times.. What do you think of the idea of adding a tags field to conn.log like http.log has?
That might be a good idea - even though I am always a bit hesitant to add
new fields to conn.log. One small drawback is that this approach will
always only mark future connections as scan connections - all the ones
that actually caused something to be recognized as scanning activity will
probably already have been logged into conn.log (and we don't actually
have the connection UIDs - at least at the moment).
Yeah.. I don't really want to add a new field either, but I think it could be useful in a few places.
Maybe I just need to come up with a handful first 
I thought it would work fine for scans.. all my scan.bro does is this:
event connection_attempt(c: connection)
{
if ( c$history == "S" )
add_scan(c$id);
}
event connection_rejected(c: connection)
{
if ( c$history == "Sr" )
add_scan(c$id);
}
So as long as I could add to c$conn$tags from those 2 events before the log is written, it would work.
So - adding a sample of IPs might still make sense. Or even make more
sense in this case.
I was thinking about doing that, but the only good place I know of to put a lot of info is in email_body_sections, and that doesn't make it to the notice.log
Would https://github.com/JonZeolla/scan-sampling do what you’re looking for? It’s in bro-pkg as well.
Jon