weird
variablesThe standard weird
script provides the following redefinable variables:
weird_action : table[string] of count
Default: as specified in conn_weird
, conn_weird_addl
, flow_weird
, net_weird
,
and Events generated by the standard scripts. As usual, you can change particular
values using refinement. For example:
redef weird_action: table[string] of count += { [["bad_TCP_checksum", "bad_UDP_checksum"]] = WEIRD_IGNORE, ["fragment_overlap"] = WEIRD_LOG_PER_CONN, };
would specify to ignore TCP and UDP checksum errors (rather than the default
of WEIRD_FILE
), and to alert on fragment overlaps once per connection
in which they occur, rather than the default of WEIRD_LOG_ALWAYS
.
weird_action_filters : table[string] of function(c: connection): count
WEIRD_UNSPECIFIED
means “no special action, use the action you normally would.”
This variable thus allows arbitrary
customization of the handling of particular events.
Default: empty, for the weird
analyzer itself. The
analyzer redefines this variable as follows:
redef weird_action_filters += { [["bad_RPC", "excess_RPC", "multiple_RPCs", "partial_RPC"]] = RPC_weird_action_filter, };
where RPC_weird_action_filter
is a function internal to the
analyzer that returns WEIRD_FILE
if the originating host
is in , and WEIRD_UNSPECIFIED
otherwise.
weird_ignore_host : set[addr, string]
Default: empty.
weird_do_not_ignore_repeats : set[string]
WEIRD_FILE
,
should still be recorded to the weird_file
each time they occur.
Default: the events relating to checksum errors, i.e.,
"bad_IP_checksum"
,
"bad_TCP_checksum"
,
"bad_UDP_checksum"
, and
"bad_ICMP_checksum"
.
These are recorded multiple times because it can prove handy to
be able to track clusters of checksum errors.