policy/misc/scan.bro

Scan

TCP Scan detection.

Namespace:Scan Imports:base/frameworks/notice, base/frameworks/sumstats, base/utils/time.bro Source File:/scripts/policy/misc/scan.bro

Summary

Options

Scan::addr_scan_interval: interval &redef	Failed connection attempts are tracked over this time interval for the address scan detection.
Scan::addr_scan_threshold: double &redef	The threshold of the unique number of hosts a scanning host has to have failed connections with on a single port.
Scan::port_scan_interval: interval &redef	Failed connection attempts are tracked over this time interval for the port scan detection.
Scan::port_scan_threshold: double &redef	The threshold of the number of unique ports a scanning host has to have failed connections with on a single victim host.

Redefinitions

Notice::Type: enum

Hooks

Scan::addr_scan_policy: hook
Scan::port_scan_policy: hook

Detailed Interface

Options

Scan::addr_scan_interval

Type:interval Attributes:&redef Default:5.0 mins

Failed connection attempts are tracked over this time interval for the address scan detection. A higher interval will detect slower scanners, but may also yield more false positives.

Scan::addr_scan_threshold

Type:double Attributes:&redef Default:25.0

The threshold of the unique number of hosts a scanning host has to have failed connections with on a single port.

Scan::port_scan_interval

Type:interval Attributes:&redef Default:5.0 mins

Failed connection attempts are tracked over this time interval for the port scan detection. A higher interval will detect slower scanners, but may also yield more false positives.

Scan::port_scan_threshold

Type:double Attributes:&redef Default:15.0

The threshold of the number of unique ports a scanning host has to have failed connections with on a single victim host.

Hooks

Scan::addr_scan_policy

Type:hook (scanner: addr, victim: addr, scanned_port: port) : bool

Scan::port_scan_policy

Type:hook (scanner: addr, victim: addr, scanned_port: port) : bool