UDP scan detection generates a large number of triggers

Robin, All:

Here are the graphs for a run of all scan policies (OldScan + new scan.bro,
scan_udp.bro, scan_icmp.bro) from a run on a freebsd 9.1 box for
approximate 3 day duration.

Memory footprint continues to grow but I have noticed on other systems that
memory flattens out around 11G range (after 9 day uninterrupted run).

CPU is surprisingly low at on this host. (Attached graph). However on
other boxes I have seen CPU being high as time progresses.

It seems to me that scan_udp fix is probably working looking at this one
data point. I will enable these on other DMZ boxes and lets see if we see
same results.

Aashish

On Tue, Feb 18, 2014 at 2:41 PM, Robin Sommer (JIRA) <

Aashish, can you post or link to the versions of the scripts you're running? Just for the record, and also I had some changes I tried to describe on an email thread that I don't think made it across, so if I still have any suggestions I can just modify your script and post it back to you.

The CPU spikes worry me quite a bit. I can't quite tell if there's a pattern to it, i.e., if they come in regular intervals, and in particular if they align with the sumstats interval?

John,

I am sending you the tar ball of the site-policy files in a direct email.

Aashish

–
Aashish Sharma (asharma@lbl.gov)
Cyber Security,
Lawrence Berkeley National Laboratory
http://go.lbl.gov/pgp-aashish
Office: (510)-495-2680 Cell: (510)-612-7971

Not in distribution yet.