Next: , Previous: rulesbro, Up: Predefined Variables



6.1.27 scan.bro

suppress_scan_checks : bool
If true, we suppress scan checking (we still do account-tried accounting). This is provided because scan checking can consume a lot of memory.

report_peer_scan : set[count]

When the number of distinct machines connected to by a given external host reaches each of the levels in the set, an alert is generated.
Note: This variable is const, so may only be changed via redef.

report_outbound_peer_scan : set[count]

When the number of distinct machines connected to by a given internal host reaches each of the levels in the set, an alert is generated.
Note: This variable is const, so may only be changed via redef.

num_distinct_peers : table[addr] of count

A table indexed by a host's address which indicates how many distinct machines that host has connected to.

distinct_peers : set[addr,addr]

A table indexed by source host and target machine that tracks which machines have been scanned by each host.

num_distinct_ports : table[addr] of count

A table indexed by a host's address which indicates how many distinct ports that host has connected to.

distinct_ports : set[addr, port]

A table indexed by source host and target port that tracks which ports have been scanned by each host.

report_port_scan : set[count]

When the number of distinct ports connected to by a given external host reaches each of the levels in the set, an alert is generated.
Note: This variable is const, so may only be changed via redef.

possible_port_scan_thresh : count

If a host tries to connect to more than this number of ports, it is considered a possible scanner.
Note: This variable is const, so may only be changed via redef.

possible_scan_sources : set[addr]

Hosts are put in this set once they have scanned more than ports.

num_scan_triples : table[addr, addr] of count

Indexed by source address and destination address, the number of services scanned for on the latter by the former. This is only tracked for possible_scan_sources.

scan_triples : set[addr, addr, port]

For possible_scan_sources as a source address, the triples of (source address, destination address, and service/port) scanned.

accounts_tried : set[addr, string, string]

Which account names were tried, indexed by source address, user name tried, password tried.

num_accounts_tried : table[addr] of count

How many accounts, as defined by a (user name, password) pair, were tried by the host with the given address.

report_accounts_tried : set[count]

When the number of distinct accounts (username, password) tried by a given external host reaches each of the levels in the set, an alert is generated.
Note: This variable is const, so may only be changed via redef.

report_remote_accounts_tried : set[count]

When the number of distinct remote accounts (username, password) tried by a given internal host reaches each of the levels in the set, an alert is generated.
Note: This variable is const, so may only be changed via redef.

skip_accounts_tried : set[addr]

Hosts in this set are not subject to alerts based on report_accounts_tried and report_remote_accounts_tried.
Note: This variable is const, so may only be changed via redef.

addl_web : set[port]

Ports in this set are treated as HTTP services.
Note: This variable is const, so may only be changed via redef.

skip_services : set[port]

Connections to ports in this set are ignored for the purposes of scan detection.
Note: This variable is const, so may only be changed via redef.

skip_outbound_services : set[port]

Connections to external machines on ports in this set are ignored for the purposes of scan detection.
Note: This variable is const, so may only be changed via redef.

skip_scan_sources : set[addr]

Hosts in this set are ignored as possible sources of scans.
Note: This variable is const, so may only be changed via redef.

skip_scan_nets_16 : set[addr,port]

Connections matching the specified (source host /16 subnet, port) pairs are ignored for the purpose of scan detection.
Note: This variable is const, so may only be changed via redef.

skip_scan_nets_24 : set[addr,port]

Connections matching the specified (source host /24 subnet, port) pairs are ignored for the purpose of scan detection.
Note: This variable is const, so may only be changed via redef.

backscatter_ports : set[port]

Reverse (SYN-ack) scans seen from these ports are considered to reflect possible SYN flooding backscatter and not true (stealth) scans.
Note: This variable is const, so may only be changed via redef.

num_backscatter_peers : table[addr] of count

Indexed by a host, how many other hosts it connected to with a possible backscatter signature.

distinct_backscatter_peers : table[addr, addr] of count

A table of [source, destination] observed backscatter activity; the table entry is a count of backscatter packets from the source to the destination.

report_backscatter : set[count]

When the number of machines that a host has sent backscatter packets to reaches each of the levels in the set, an alert is generated.

Fixme: Need to document connection-dropping related variables.

               global can_drop_connectivity = F &redef;
               global drop_connectivity_script = "drop-connectivity" &redef;
               global connectivity_dropped set[addr];
               const shut_down_scans: set[port] &redef;
               const shut_down_all_scans = F &redef;
               const shut_down_thresh = 100 &redef;
               never_shut_down set[addr]
               never_drop_nets set[net]
               never_drop_16_nets set[net]
               did_drop_address table[addr] of count
          

root_servers : set[host]

The set of root DNS servers.
Note: This variable is const, so may only be changed via redef.

gtld_servers : set[host]

The set of Generic Top-Level Domain servers (.com, .net, .org, etc.).
Note: This variable is const, so may only be changed via redef.