Simple policy to detect VNC (RFB) scanners based on src->dst connection counts

Following functionality are provided by the script

1) It simply counts number of dst IPs a src IP touched over rfb protocol 
2) Generates a Scan::VNCScanner alert/notice

Installation

bro-pkg install bro/initconf/vnc-scanner

The following packages will be INSTALLED: bro/initconf/vnc-scanner (master)

Proceed? [Y/n] y Running unit tests for "bro/initconf/vnc-scanner" all 1 tests successful Installing "bro/initconf/vnc-scanner" Installed "bro/initconf/vnc-scanner" (master) Loaded "bro/initconf/vnc-scanner"

or @load vnc-scanner/scripts

Detail Alerts and descriptions: Following alerts are generated by the script:

Heuristics are simple. Count M connections to N IPs by a src IP.

This should generate following Kinds of notices:

VNCScanner

Example Alert: VNCScanner

1511943733.028717 CtxTCR2Yer0FR1tIBg 13.245.45.3 34021 136.159.9.83 5900 - - -tcp Scan::VNCScanner 13.245.45.3 has hit 136.159.9.83, 136.159.114.108, 136.159.78.74, 136.159.80.9, IPs on vnc 5900/tcp - 13.245.45.3 136.159.9.83 5900 - bro Notice::ACTION_LOG 21600.000000 F

vnc-scanner

Simple policy to detect VNC (RFB) scanners based on src->dst connection counts

Following functionality are provided by the script

Installation

Detail Alerts and descriptions: Following alerts are generated by the script:

Example Alert: VNCScanner

Package Version :

Description :

Script Dir :

Test Command :

Tags :