ScanSummary intervals

Joncarlo_Ruggieri1 · February 7, 2006, 7:50pm

Hi,

We are running Bro 0.9a8.

I am trying to track down an inconsistency with our alarm logs.

Our thresholds for reporting AddressScans from external hosts is defined
in scan.bro as follows:

   const report_peer_scan = {
           20, 100, 1000, 10000, 50000, 100000, 250000, 500000, 1000000,
   } &redef;

This is not redefined elsewhere.

I see AddressScan alarms for a given host when they reach our
first defined threshold of 20.

I don't see entries for the next threshold of 100.

However, when we checkpoint Bro, we see ScanSummary log entries for higher
counts. (We checkpoint Bro every 3 hours.)

Also, we can see ScanSummary entries for hosts that did not have
AddressScan entries during this last log/checkpoint period.

My questions are:

1) Is there something else which might override the report_peer_scan
thresholds?

2) Should checkpointing Bro reset the ScanSummary count, or will we need
to force that?

2A) How do we force the ScanSummary count to reset?

Our ultimate goal is to be able to determine the number of addresses
scanned by a host at the end of our 3-hour checkpoint interval. That
count could be either the true number or else last threshold reached.

Thanks for your help!

Joncarlo Ruggieri
University of CA, Davis
Data Center & Client Services

robin · February 8, 2006, 3:19am

1) Is there something else which might override the report_peer_scan
thresholds?

If I recall correctly, a source is no longer reported when it has
performed shut_down_thresh connection attempts (default: 100).
Instead Bro then just generates a ScanSummary after 1 day or at
termination, whatever comes first.

2) Should checkpointing Bro reset the ScanSummary count, or will we need
to force that?

It will be reset; by default Bro does not carry state across
restarts (it may though by declaring things as &persistent).

Robin

P.S.: You wrote, you're checkpointing every 3 hours. Do you do this
primarily to avoid running out of memory? If yes: in newer
(development) versions, we've greatly improved the state management,
so this may become unneccesarry eventually.

Jean-Philippe_Luigg2 · February 8, 2006, 3:21pm

Hello,

Do you've any release date ?

Thank you.

Brian_Tierney · February 8, 2006, 3:40pm

The "1.x development release" at http://www.bro-ids.org/download.html
has these fixes.

robin · February 8, 2006, 7:04pm

Yet there are still a few more tweaks coming up which are not yet
included. Essentially we're going to switch to a memory-efficient
default configuration. Instead of requiring to load reduce-memory
for effective use in large networks, there'll be the opposite then:
an expensive-analysis.bro which can be loaded if the network volume
permits.

Robin

Jean-Philippe_Luigg2 · February 8, 2006, 7:43pm

Hello,

The one you're speaking about seems to be the 1.0 release (oct 2005).
If this isn't a normal release instead of a development's one ?

Best regards.

Topic		Replies	Views
Bro reports zero hosts scanned Zeek	1	63	May 6, 2022
event suppression Zeek	2	56	May 6, 2022
Empty reports!! Zeek	4	51	May 6, 2022
Sumstats bugs & fixes Development development	3	80	May 6, 2022
[maintenance] what would cause a backlog/erasure in "...logs/current"? Zeek	5	57	May 6, 2022

ScanSummary intervals

Related Topics