Scan Analyzer

From BroWiki

Contents 1 Overview 2 Code Documentation 2.1 scan variables 2.2 scan functions 2.3 scan event handlers

Overview

The scan analyzer detects connection attempts to numerous machines (address scanning), connection attempts to many different services on the same machine (port scanning), and attempts to access many different accounts (password guessing). The basic methodology is to use tables to keep track of the distinct addresses and ports to which a given host attempts to connect, and to trigger alerts when either of these reaches a specified size. A powerful technique that Bro potentially provides is dropping border connectivity with remote scanning sites, though you must supply the magic script to talk with your router and effect the block. See drop_address below for a discussion of the interface provided. Note: Naturally, providing this capability means you might become vulnerable to denial-of-service attacks in which spoofed packets are used in an attempt to trigger a block of a site to which you want to have access.

Code Documentation

scan variables

In addition to internal variables for its bookkeeping, the analyzer provides the following redefinable variables:

report_peer_scan : set[count] 

Generate a log message whenever a remote host (as determined by is_local_address) has attempted to connect to the given number of distinct hosts.

default: { 100, 1000, 10000, }. So, for example, if a remote host attempts to connect to 3,500 different local hosts, a report will be generated when it makes the 100th attempt, and another when it makes the 1,000th attempt.

report_outbound_peer_scan : set[count] 

The same as report_peer_scan, except for connections initiated locally.

default: { 1000, 10000, }.

possible_port_scan_thresh : count 

Initially, port scan detection is done based on how many different ports a given host connects to, regardless of on which hosts. Once this threshold is reached, however, then the analyzer begins tracking ports accessed per-server, which is important for reducing false positives. Note: The reason this variable exists is because it is very expensive to track per-server ports accessed for every active host; this variable limits such tracking to only active hosts contacting a significant number of different ports.

default: 25.

report_accounts_tried : set[count] 

Whenever a remote host has attempted to access a number of local accounts present in this set, generate a log message. Each distinct username/password pair is considered a different access.

default: { 25, 100, 500, }.

report_remote_accounts_tried : set[count] 

The same, except for access to remote accounts rather than local ones.

default: { 100, 500, }.

skip_accounts_tried : set[addr] 

Do not do bookkeeping for account attempts for the given hosts.

default: empty.

skip_outbound_services : set[port] 

Do not do outbound-scanning bookkeeping for connections involving the given services.

default: { allow_services, ftp, addl_web } (see next item).

addl_web : set[port] 

Additional ports that should be considered as Web traffic (and hence skipped for outbound-scan bookkeeping).

default: { 81/tcp, 443/tcp, 8000/tcp, 8001/tcp, 8080/tcp, }.

skip_scan_sources : set[addr] 

Hosts that are allowed to address-scan without complaint.

default: scooter.pa-x.dec.com}, @code{scooter2.av.pa-x.dec.com (AltaVista crawlers; you get the idea.)

skip_scan_nets_24 : set[addr, port] 

/24 networks that are allowed to address scan for the given port without complaint.

default: empty.

can_drop_connectivity : bool 

True if the Bro has the capability of dropping connectivity, per drop_address.

default: false.

shut_down_scans : set[port] 

Scans of these ports trigger connectivity-dropping (if the Bro is capable of dropping connectivity), unless shut_down_all_scans is defined (next item).

default: empty.

shut_down_all_scans : bool 

Ignore shut_down_scans and simply drop all scans regardless of service.

default: false.

shut_down_thresh : count 

Shut down connectivity after a host has scanned this many addresses.

default: 100.

never_shut_down : set[addr] 

Purported scans from these addresses are never shut down.

default: the root name servers (a.root-servers.net through m.root-servers.net :).

scan functions

scan event handlers