# to run: bro -r tracefile ex2f.bro weird alarm @load mysite @load notice # define new Notice redef enum Notice += { ScannerFound, }; # only alarm if more than alarm_thresh connections const alarm_thresh = 10 &redef; global conn_count = 0; # table to keep track of successful connections from each new remote host global conn_per_orig: table[addr] of count &default=0; # table to keep track of connection attempts from each new remote host global conn_attempt_per_orig: table[addr] of count &default=0 ; function print_results() { local success_ratio = 0.0; print fmt("\n Total number of connections: %d \n", conn_count); for ( orig in conn_attempt_per_orig ) { # value * 1.0 will convert type count to double success_ratio = conn_per_orig[orig] * 1.0 / conn_attempt_per_orig[orig] * 1.0; print fmt("Connections from host %s: %d out of %d attempts: ratio = %.4f", orig, conn_per_orig[orig], conn_attempt_per_orig[orig], success_ratio); } } event print_event() { print_results(); # reschedule in another 2 minutes schedule 2 min { print_event() }; } event bro_init() { schedule 2 min { print_event() }; } event connection_established(c: connection) { local id = c$id; local log_msg = fmt("%.6f %.6f %s %s %d %d %d %d ", c$start_time, c$duration, id$orig_h, id$resp_h, id$orig_p, id$resp_p, c$orig$size, c$resp$size); print log_msg; ++conn_count; if (! is_local_addr(id$orig_h) ) # only count remote hosts ++conn_per_orig[id$orig_h]; } event new_connection(c: connection) { local orig = c$id$orig_h; local success_ratio = 0.0; if (! is_local_addr(orig) ) # only count remote hosts { ++conn_attempt_per_orig[orig]; success_ratio = conn_per_orig[orig] * 1.0 / conn_attempt_per_orig[orig] * 1.0; if (success_ratio < .2 && conn_attempt_per_orig[orig] > alarm_thresh ) { NOTICE([$note=ScannerFound, $conn=c, $src=orig, $msg=fmt("%d out of %d connections from host %s failed", conn_attempt_per_orig[orig] - conn_per_orig[orig], conn_attempt_per_orig[orig], orig) ]); } } } event bro_done() { print_results(); }