Simple policy to detect VNC (RFB) scanners based on src->dst connection counts

Following functionality are provided by the script

1) It simply counts number of dst IPs a src IP touched over rfb protocol 
2) Generates a Scan::VNCScanner alert/notice 


bro-pkg install bro/initconf/vnc-scanner

The following packages will be INSTALLED: bro/initconf/vnc-scanner (master)

Proceed? [Y/n] y Running unit tests for "bro/initconf/vnc-scanner" all 1 tests successful Installing "bro/initconf/vnc-scanner" Installed "bro/initconf/vnc-scanner" (master) Loaded "bro/initconf/vnc-scanner"

or @load vnc-scanner/scripts

Detail Alerts and descriptions: Following alerts are generated by the script:

Heuristics are simple. Count M connections to N IPs by a src IP.

This should generate following Kinds of notices:

  • VNCScanner

Example Alert: VNCScanner

1511943733.028717 CtxTCR2Yer0FR1tIBg 34021 5900 - - -tcp Scan::VNCScanner has hit,,,, IPs on vnc 5900/tcp - 5900 - bro Notice::ACTION_LOG 21600.000000 F

Package Version :