redef skip_services += {
445/tcp,
135/tcp
};
You need to put these in both skip_services and skip_outbound_services.
Yeah, I know, this isn't intuitive :-(. The configuration for scan.bro
is pretty much a mess, and we have a rewrite of it pending, but haven't
managed to get it fully together yet. Sorry about that ...
2) How does the site-report.pl script choose the entries to be written
in the Scan section of the report? Reading the manual I see that they
should be ONLY the successful scans, but in the end of alarm.log file I
have some entries like "ScanSummary: host x has scanned a total of 3241
hosts" and this does not appear in the report! Instead, in the report I
have entries like "host y has scanned 100 hosts" so it's a lower value
and seems related to the thresholds set in the variable
"report_outbound_peer_scan" rather than being a total number of hosts
scanned.
Right, the summary is decoupled here. Jason or Roger will need to chime
in here, as they're the ones who develop/maintain site-report.pl.
Again, sorry about the confusion ...
Vern