Simple policy to detect VNC (RFB) scanners based on src->dst connection counts
Following functionality are provided by the script
1) It simply counts number of dst IPs a src IP touched over rfb protocol 2) Generates a Scan::VNCScanner alert/notice
bro-pkg install bro/initconf/vnc-scanner
The following packages will be INSTALLED: bro/initconf/vnc-scanner (master)
Proceed? [Y/n] y Running unit tests for "bro/initconf/vnc-scanner" all 1 tests successful Installing "bro/initconf/vnc-scanner" Installed "bro/initconf/vnc-scanner" (master) Loaded "bro/initconf/vnc-scanner"
or @load vnc-scanner/scripts
Detail Alerts and descriptions: Following alerts are generated by the script:
Heuristics are simple. Count M connections to N IPs by a src IP.
This should generate following Kinds of notices:
Example Alert: VNCScanner
1511943733.028717 CtxTCR2Yer0FR1tIBg 188.8.131.52 34021 184.108.40.206 5900 - - -tcp Scan::VNCScanner 220.127.116.11 has hit 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, IPs on vnc 5900/tcp - 184.108.40.206 220.127.116.11 5900 - bro Notice::ACTION_LOG 21600.000000 F