policy/protocols/smtp/detect-suspicious-orig.zeek

SMTP
Namespace

SMTP

Imports

base/frameworks/notice/main.zeek, base/protocols/smtp/main.zeek

Summary

Runtime Options

SMTP::suspicious_origination_countries: set &redef

Places where it’s suspicious for mail to originate from represented as all-capital, two character country codes (e.g., US).

SMTP::suspicious_origination_networks: set &redef

Redefinitions

Notice::Type: enum

Detailed Interface

Runtime Options

SMTP::suspicious_origination_countries
Type

set [string]

Attributes

&redef

Default

{}

Places where it’s suspicious for mail to originate from represented as all-capital, two character country codes (e.g., US). It requires Zeek to be built with GeoIP support.

SMTP::suspicious_origination_networks
Type

set [subnet]

Attributes

&redef

Default

{}