policy/misc/scan.bro

Scan

TCP Scan detection.

Namespace:Scan
Imports:base/frameworks/notice, base/frameworks/sumstats, base/utils/time.bro
Source File:/scripts/policy/misc/scan.bro

Summary

Options

Scan::addr_scan_interval: interval &redef Failed connection attempts are tracked over this time interval for the address scan detection.
Scan::addr_scan_threshold: double &redef The threshold of the unique number of hosts a scanning host has to have failed connections with on a single port.
Scan::port_scan_interval: interval &redef Failed connection attempts are tracked over this time interval for the port scan detection.
Scan::port_scan_threshold: double &redef The threshold of the number of unique ports a scanning host has to have failed connections with on a single victim host.

Redefinitions

Notice::Type: enum  

Detailed Interface

Options

Scan::addr_scan_interval
Type:interval
Attributes:&redef
Default:5.0 mins

Failed connection attempts are tracked over this time interval for the address scan detection. A higher interval will detect slower scanners, but may also yield more false positives.

Scan::addr_scan_threshold
Type:double
Attributes:&redef
Default:25.0

The threshold of the unique number of hosts a scanning host has to have failed connections with on a single port.

Scan::port_scan_interval
Type:interval
Attributes:&redef
Default:5.0 mins

Failed connection attempts are tracked over this time interval for the port scan detection. A higher interval will detect slower scanners, but may also yield more false positives.

Scan::port_scan_threshold
Type:double
Attributes:&redef
Default:15.0

The threshold of the number of unique ports a scanning host has to have failed connections with on a single victim host.

Hooks

Scan::addr_scan_policy
Type:hook (scanner: addr, victim: addr, scanned_port: port) : bool
Scan::port_scan_policy
Type:hook (scanner: addr, victim: addr, scanned_port: port) : bool

Copyright 2016, The Bro Project. Last updated on October 17, 2017. Created using Sphinx 1.5.2.