Scan
¶TCP Scan detection.
Namespace: | Scan |
---|---|
Imports: | base/frameworks/notice, base/frameworks/sumstats, base/utils/time.bro |
Source File: | /scripts/policy/misc/scan.bro |
Scan::addr_scan_interval : interval &redef |
Failed connection attempts are tracked over this time interval for the address scan detection. |
Scan::addr_scan_threshold : double &redef |
The threshold of the unique number of hosts a scanning host has to have failed connections with on a single port. |
Scan::port_scan_interval : interval &redef |
Failed connection attempts are tracked over this time interval for the port scan detection. |
Scan::port_scan_threshold : double &redef |
The threshold of the number of unique ports a scanning host has to have failed connections with on a single victim host. |
Notice::Type : enum |
Scan::addr_scan_interval
¶Type: | interval |
---|---|
Attributes: | &redef |
Default: | 5.0 mins |
Failed connection attempts are tracked over this time interval for the address scan detection. A higher interval will detect slower scanners, but may also yield more false positives.
Scan::addr_scan_threshold
¶Type: | double |
---|---|
Attributes: | &redef |
Default: | 25.0 |
The threshold of the unique number of hosts a scanning host has to have failed connections with on a single port.