actually_rejected_PTR_anno : set[string]
Annotations that if returned for a PTR lookup actually indicate a rejected query; for example, "illegal-address.lbl.gov".
Note: This variable isconst
, so may only be changed viaredef
.
sensitive_lookup_hosts : set[addr]
Hosts in this set generate an alert when they are returned in PTR queries, unless the originating host is insensitive_lookup_hosts
.
Note: This variable isconst
, so may only be changed viaredef
.
okay_to_lookup_sensitive_hosts : set[addr]
If the DNS request originator is in this set, then it is allowed to
look up “sensitive” hosts (see also sensitive_lookup_hosts
)
without causing an alert.
dns_log : file
The file into which DNS-related alerts are written.
dns_sessions : table[addr, addr] of dns_session_info
A table of outstanding DNS sessions indexed by [client IP, server IP]. Fixme: Need to illustrate dns_sessions_info.
num_dns_sessions : count
The total number of entries that have ever been in the table.
distinct_PTR_requests : table[addr, string] of count
The number of DNS PTR requests obseverd with the given source address and request string.
distinct_rejected_PTR_requests : table[addr] of count
How many DNS PTR requests from the given source address were
rejected. A report is generated if this number crosses a threshold,
namely, report_rejected_PTR_thresh
.
distinct_answered_PTR_requests : table[addr] of count
How many DNS PTR requests from the given source address were rejected.
report_rejected_PTR_thresh : count
If this many DNS requests from a host are rejected, generate a possible PTR scan event.
report_rejected_PTR_factor : double
If DNS requests from a host are rejected more than accepted by this factor, generate a event.
allow_PTR_scans set[addr]
The set of hosts for which a PTR_scan
event does not generate a report
(that is, the scan is allowed).
did_PTR_scan_event table[addr] of count
A table of hosts for which a event has been generated.