[prev in list] [next in list] [prev in thread] [next in thread]
List: bro
Subject: Re: [Bro] inbound PortScans that aren't really...
From: Vern Paxson <vern () icir ! org>
Date: 2007-10-09 22:56:08
Message-ID: 200710092256.l99MuD3D001599 () pork ! ICSI ! Berkeley ! EDU
[Download RAW message or body]
> > Can you send me a trace of one of these scans? (Just TCP control
> > packets is fine if there's content you can't pass on).
> ...
> We have a free copy of splunk indexing the /usr/local/bro/logs/*
> files. Using splunk provides an easy way to retrieve data from all
> of the BRO files - conn, notice, info, etc. Tim Rupp did this. He's
> available for hire!
>
> I saw an outbound scan report today and used this splunk command ...
To figure this out, we really need a raw trace. The reason is the appearance
of a bunch of connections with state given as "OTH". Those reflect a
non-standard connection establishment (often due to Bro missing the beginning
of the connection, or multi-pathing, or the packet filter reordering SYNs
with SYN ACKs), which are probably what's confusing the scan detector about
the direction of the activity.
You can anonymize a raw trace using ipsumdump -A. Alternatively, you
could run Bro on it using "record_state_history=T" at the command line
to turn on connection state history tracking, which would probably let us
infer what's going on.
Vern
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic