policy/misc/scan.zeek
- Scan
TCP Scan detection.
- Namespace
Scan
- Imports
base/frameworks/notice, base/frameworks/sumstats, base/utils/time.zeek
Summary
Redefinable Options
Failed connection attempts are tracked over this time interval for the address scan detection. |
|
The threshold of the unique number of hosts a scanning host has to have failed connections with on a single port. |
|
Failed connection attempts are tracked over this time interval for the port scan detection. |
|
The threshold of the number of unique ports a scanning host has to have failed connections with on a single victim host. |
Redefinitions
|
Hooks
Detailed Interface
Redefinable Options
- Scan::addr_scan_interval
-
Failed connection attempts are tracked over this time interval for the address scan detection. A higher interval will detect slower scanners, but may also yield more false positives.
- Scan::addr_scan_threshold
-
The threshold of the unique number of hosts a scanning host has to have failed connections with on a single port.
- Scan::port_scan_interval
-
Failed connection attempts are tracked over this time interval for the port scan detection. A higher interval will detect slower scanners, but may also yield more false positives.
- Scan::port_scan_threshold
-
The threshold of the number of unique ports a scanning host has to have failed connections with on a single victim host.