Next: , Previous: scan Analyzer, Up: scan Analyzer



7.6.1 scan variables

In addition to internal variables for its bookkeeping, the analyzer provides the following redefinable variables:

report_peer_scan : set[count] Generate a log message whenever a remote host (as determined by is_local_address) has attempted to connect to the given number of distinct hosts.

Default: { 100, 1000, 10000, }. So, for example, if a remote host attempts to connect to 3,500 different local hosts, a report will be generated when it makes the 100th attempt, and another when it makes the 1,000th attempt.

report_outbound_peer_scan : set[count]
The same as report_peer_scan, except for connections initiated locally.

Default: { 1000, 10000, }.

possible_port_scan_thresh : count
Initially, port scan detection is done based on how many different ports a given host connects to, regardless of on which hosts. Once this threshold is reached, however, then the analyzer begins tracking ports accessed per-server, which is important for reducing false positives. Note: The reason this variable exists is because it is very expensive to track per-server ports accessed for every active host; this variable limits such tracking to only active hosts contacting a significant number of different ports.

Default: 25.

report_accounts_tried : set[count]
Whenever a remote host has attempted to access a number of local accounts present in this set, generate a log message. Each distinct username/password pair is considered a different access.

Default: { 25, 100, 500, }.

report_remote_accounts_tried : set[count]
The same, except for access to remote accounts rather than local ones.

Default: { 100, 500, }.

skip_accounts_tried : set[addr]
Do not do bookkeeping for account attempts for the given hosts.

Default: empty.

skip_outbound_services : set[port]
Do not do outbound-scanning bookkeeping for connections involving the given services.

Default: allow_services, ftp, addl_web (see next item).

addl_web : set[port]
Additional ports that should be considered as Web traffic (and hence skipped for outbound-scan bookkeeping).

Default: { 81/tcp, 443/tcp, 8000/tcp, 8001/tcp, 8080/tcp, }.

skip_scan_sources : set[addr]
Hosts that are allowed to address-scan without complaint.

Default: scooter.pa-x.dec.com, scooter2.av.pa-x.dec.com (AltaVista crawlers; you get the idea.)

skip_scan_nets_24 : set[addr, port]
/24 networks that are allowed to address scan for the given port without complaint.

Default: empty.


can_drop_connectivity : bool
True if the Bro has the capability of dropping connectivity, per drop_address.

Default: false.


shut_down_scans : set[port]
Scans of these ports trigger connectivity-dropping (if the Bro is capable of dropping connectivity), unless shut_down_all_scans is defined (next item).

Default: empty.

shut_down_all_scans : bool
Ignore shut_down_scans and simply drop all scans regardless of service.

Default: false.

shut_down_thresh : count
Shut down connectivity after a host has scanned this many addresses.`

Default: 100.

never_shut_down : set[addr]
Purported scans from these addresses are never shut down.

Default: the root name servers (a.root-servers.net through m.root-servers.net).