scan
AnalyzerThe scan
analyzer detects connection attempts to numerous machines
(address scanning), connection attempts to many different services
on the same machine (port scanning), and attempts to access many different
accounts (password guessing). The basic methodology is to use tables to
keep track of the distinct addresses and ports to which a given host
attempts to connect, and to trigger alerts when either of these reaches
a specified size. Deficiency:As currently written, the analyzer will not detect distributed scans, i.e., when many sites are used to probe individually just a few, but together a large number, of ports or addresses.
A powerful technique that Bro potentially provides is dropping
border connectivity with remote scanning sites, though you must
supply the magic script to talk with your router and effect the
block. See drop_address
below for a discussion of the
interface provided. Note: Naturally, providing this capability means
you might become vulnerable to denial-of-service attacks in which spoofed
packets are used in an attempt to trigger a block of a site to which
you want to have access.