policy/misc/detect-traceroute/main.bro

Traceroute

This script detects a large number of ICMP Time Exceeded messages heading toward hosts that have sent low TTL packets. It generates a notice when the number of ICMP Time Exceeded messages for a source-destination pair exceeds a threshold.

Namespace:Traceroute
Imports:base/frameworks/signatures, base/frameworks/sumstats
Source File:/scripts/policy/misc/detect-traceroute/main.bro

Summary

Options

Traceroute::icmp_time_exceeded_interval: interval &redef Interval at which to watch for the Traceroute::icmp_time_exceeded_threshold variable to be crossed.
Traceroute::icmp_time_exceeded_threshold: double &redef Defines the threshold for ICMP Time Exceeded messages for a src-dst pair.
Traceroute::require_low_ttl_packets: bool &redef By default this script requires that any host detected running traceroutes first send low TTL packets (TTL < 10) to the traceroute destination host.

Types

Traceroute::Info: record The log record for the traceroute log.

Detailed Interface

Options

Traceroute::icmp_time_exceeded_interval
Type:interval
Attributes:&redef
Default:3.0 mins

Interval at which to watch for the Traceroute::icmp_time_exceeded_threshold variable to be crossed. At the end of each interval the counter is reset.

Traceroute::icmp_time_exceeded_threshold
Type:double
Attributes:&redef
Default:3.0

Defines the threshold for ICMP Time Exceeded messages for a src-dst pair. This threshold only comes into play after a host is found to be sending low TTL packets.

Traceroute::require_low_ttl_packets
Type:bool
Attributes:&redef
Default:T

By default this script requires that any host detected running traceroutes first send low TTL packets (TTL < 10) to the traceroute destination host. Changing this setting to F will relax the detection a bit by solely relying on ICMP time-exceeded messages to detect traceroute.

Types

Traceroute::Info
Type:

record

ts: time &log

Timestamp

src: addr &log

Address initiating the traceroute.

dst: addr &log

Destination address of the traceroute.

proto: string &log

Protocol used for the traceroute.

The log record for the traceroute log.

Events

Traceroute::log_traceroute
Type:event (rec: Traceroute::Info)
Copyright 2016, The Bro Project. Last updated on December 13, 2017. Created using Sphinx 1.5.2.