Simple policy to detect VNC (RFB) scanners based on src->dst connection counts
Following functionality are provided by the script
1) It simply counts number of dst IPs a src IP touched over rfb protocol 2) Generates a Scan::VNCScanner alert/notice
bro-pkg install bro/initconf/vnc-scanner
The following packages will be INSTALLED: bro/initconf/vnc-scanner (master)
Proceed? [Y/n] y Running unit tests for "bro/initconf/vnc-scanner" all 1 tests successful Installing "bro/initconf/vnc-scanner" Installed "bro/initconf/vnc-scanner" (master) Loaded "bro/initconf/vnc-scanner"
or @load vnc-scanner/scripts
Detail Alerts and descriptions: Following alerts are generated by the script:
Heuristics are simple. Count M connections to N IPs by a src IP.
This should generate following Kinds of notices:
Example Alert: VNCScanner
1511943733.028717 CtxTCR2Yer0FR1tIBg 220.127.116.11 34021 18.104.22.168 5900 - - -tcp Scan::VNCScanner 22.214.171.124 has hit 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, IPs on vnc 5900/tcp - 18.104.22.168 22.214.171.124 5900 - bro Notice::ACTION_LOG 21600.000000 F