suppress_scan_checks : bool
If true, we suppress scan checking (we still do account-tried accounting). This is provided because scan checking can consume a lot of memory.
report_peer_scan : set[count]
When the number of distinct machines connected to by a given external host reaches each of the levels in the set, an alert is generated.
Note: This variable isconst
, so may only be changed viaredef
.
report_outbound_peer_scan : set[count]
When the number of distinct machines connected to by a given internal host reaches each of the levels in the set, an alert is generated.
Note: This variable isconst
, so may only be changed viaredef
.
num_distinct_peers : table[addr] of count
A table indexed by a host's address which indicates how many distinct machines that host has connected to.
distinct_peers : set[addr,addr]
A table indexed by source host and target machine that tracks which machines have been scanned by each host.
num_distinct_ports : table[addr] of count
A table indexed by a host's address which indicates how many distinct ports that host has connected to.
distinct_ports : set[addr, port]
A table indexed by source host and target port that tracks which ports have been scanned by each host.
report_port_scan : set[count]
When the number of distinct ports connected to by a given external host reaches each of the levels in the set, an alert is generated.
Note: This variable isconst
, so may only be changed viaredef
.
possible_port_scan_thresh : count
If a host tries to connect to more than this number of ports, it is considered a possible scanner.
Note: This variable isconst
, so may only be changed viaredef
.
possible_scan_sources : set[addr]
Hosts are put in this set once they have scanned more than ports.
num_scan_triples : table[addr, addr] of count
Indexed by source address and destination address, the number of
services scanned for on the latter by the former. This is only tracked
for possible_scan_sources
.
scan_triples : set[addr, addr, port]
For possible_scan_sources
as a source address, the triples
of (source address, destination address, and service/port) scanned.
accounts_tried : set[addr, string, string]
Which account names were tried, indexed by source address, user name tried, password tried.
num_accounts_tried : table[addr] of count
How many accounts, as defined by a (user name, password) pair, were tried by the host with the given address.
report_accounts_tried : set[count]
When the number of distinct accounts (username, password) tried by a given external host reaches each of the levels in the set, an alert is generated.
Note: This variable isconst
, so may only be changed viaredef
.
report_remote_accounts_tried : set[count]
When the number of distinct remote accounts (username, password) tried by a given internal host reaches each of the levels in the set, an alert is generated.
Note: This variable isconst
, so may only be changed viaredef
.
skip_accounts_tried : set[addr]
Hosts in this set are not subject to alerts based onreport_accounts_tried
andreport_remote_accounts_tried
.
Note: This variable isconst
, so may only be changed viaredef
.
addl_web : set[port]
Ports in this set are treated as HTTP services.
Note: This variable isconst
, so may only be changed viaredef
.
skip_services : set[port]
Connections to ports in this set are ignored for the purposes of scan detection.
Note: This variable isconst
, so may only be changed viaredef
.
skip_outbound_services : set[port]
Connections to external machines on ports in this set are ignored for the purposes of scan detection.
Note: This variable isconst
, so may only be changed viaredef
.
skip_scan_sources : set[addr]
Hosts in this set are ignored as possible sources of scans.
Note: This variable isconst
, so may only be changed viaredef
.
skip_scan_nets_16 : set[addr,port]
Connections matching the specified (source host /16 subnet, port) pairs are ignored for the purpose of scan detection.
Note: This variable isconst
, so may only be changed viaredef
.
skip_scan_nets_24 : set[addr,port]
Connections matching the specified (source host /24 subnet, port) pairs are ignored for the purpose of scan detection.
Note: This variable isconst
, so may only be changed viaredef
.
backscatter_ports : set[port]
Reverse (SYN-ack) scans seen from these ports are considered to reflect possible SYN flooding backscatter and not true (stealth) scans.
Note: This variable isconst
, so may only be changed viaredef
.
num_backscatter_peers : table[addr] of count
Indexed by a host, how many other hosts it connected to with a possible backscatter signature.
distinct_backscatter_peers : table[addr, addr] of count
A table of [source, destination] observed backscatter activity; the table entry is a count of backscatter packets from the source to the destination.
report_backscatter : set[count]
When the number of machines that a host has sent backscatter packets to reaches each of the levels in the set, an alert is generated.Fixme: Need to document connection-dropping related variables.
global can_drop_connectivity = F &redef; global drop_connectivity_script = "drop-connectivity" &redef; global connectivity_dropped set[addr]; const shut_down_scans: set[port] &redef; const shut_down_all_scans = F &redef; const shut_down_thresh = 100 &redef; never_shut_down set[addr] never_drop_nets set[net] never_drop_16_nets set[net] did_drop_address table[addr] of count
The set of root DNS servers.
Note: This variable isconst
, so may only be changed viaredef
.
gtld_servers : set[host]
The set of Generic Top-Level Domain servers (.com, .net, .org, etc.).
Note: This variable isconst
, so may only be changed viaredef
.