[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bro
Subject:    Re: [Bro] inbound PortScans that aren't really...
From:       Vern Paxson <vern () icir ! org>
Date:       2007-10-09 22:56:08
Message-ID: 200710092256.l99MuD3D001599 () pork ! ICSI ! Berkeley ! EDU
[Download RAW message or body]

> > Can you send me a trace of one of these scans? (Just TCP control
> > packets is fine if there's content you can't pass on).
> ...
> We have a free copy of splunk indexing the /usr/local/bro/logs/*  
> files.  Using splunk provides an easy way to retrieve data from all  
> of the BRO files - conn, notice, info, etc.  Tim Rupp did this.  He's  
> available for hire!
> 
> I saw an outbound scan report today and used this splunk command ...

To figure this out, we really need a raw trace.  The reason is the appearance
of a bunch of connections with state given as "OTH".  Those reflect a
non-standard connection establishment (often due to Bro missing the beginning
of the connection, or multi-pathing, or the packet filter reordering SYNs
with SYN ACKs), which are probably what's confusing the scan detector about
the direction of the activity.

You can anonymize a raw trace using ipsumdump -A.  Alternatively, you
could run Bro on it using "record_state_history=T" at the command line
to turn on connection state history tracking, which would probably let us
infer what's going on.

		Vern

[prev in list] [next in list] [prev in thread] [next in thread]