policy/misc/detect-traceroute/main.bro
-
Traceroute
This script detects a large number of ICMP Time Exceeded messages heading
toward hosts that have sent low TTL packets. It generates a notice when the
number of ICMP Time Exceeded messages for a source-destination pair exceeds
a threshold.
Detailed Interface
Redefinable Options
-
Traceroute::icmp_time_exceeded_interval
-
Interval at which to watch for the
Traceroute::icmp_time_exceeded_threshold
variable to be
crossed. At the end of each interval the counter is reset.
-
Traceroute::icmp_time_exceeded_threshold
-
Defines the threshold for ICMP Time Exceeded messages for a src-dst
pair. This threshold only comes into play after a host is found to
be sending low TTL packets.
-
Traceroute::require_low_ttl_packets
-
By default this script requires that any host detected running
traceroutes first send low TTL packets (TTL < 10) to the traceroute
destination host. Changing this setting to F will relax the
detection a bit by solely relying on ICMP time-exceeded messages to
detect traceroute.
Types
-
Traceroute::Info
-
The log record for the traceroute log.
Events
-
Traceroute::log_traceroute
-