policy/misc/detect-traceroute/main.zeek

Traceroute

This script detects a large number of ICMP Time Exceeded messages heading toward hosts that have sent low TTL packets. It generates a notice when the number of ICMP Time Exceeded messages for a source-destination pair exceeds a threshold.

Namespace

Traceroute

Imports

base/frameworks/signatures, base/frameworks/sumstats

Summary

Redefinable Options

Traceroute::icmp_time_exceeded_interval: interval &redef

Interval at which to watch for the Traceroute::icmp_time_exceeded_threshold variable to be crossed.

Traceroute::icmp_time_exceeded_threshold: double &redef

Defines the threshold for ICMP Time Exceeded messages for a src-dst pair.

Traceroute::require_low_ttl_packets: bool &redef

By default this script requires that any host detected running traceroutes first send low TTL packets (TTL < 10) to the traceroute destination host.

Types

Traceroute::Info: record

The log record for the traceroute log.

Redefinitions

Log::ID: enum

Notice::Type: enum

Signatures::ignored_ids: pattern &redef

Events

Traceroute::log_traceroute: event

Hooks

Traceroute::log_policy: Log::PolicyHook

Detailed Interface

Redefinable Options

Traceroute::icmp_time_exceeded_interval
Type

interval

Attributes

&redef

Default

3.0 mins

Interval at which to watch for the Traceroute::icmp_time_exceeded_threshold variable to be crossed. At the end of each interval the counter is reset.

Traceroute::icmp_time_exceeded_threshold
Type

double

Attributes

&redef

Default

3.0

Defines the threshold for ICMP Time Exceeded messages for a src-dst pair. This threshold only comes into play after a host is found to be sending low TTL packets.

Traceroute::require_low_ttl_packets
Type

bool

Attributes

&redef

Default

T

By default this script requires that any host detected running traceroutes first send low TTL packets (TTL < 10) to the traceroute destination host. Changing this setting to F will relax the detection a bit by solely relying on ICMP time-exceeded messages to detect traceroute.

Types

Traceroute::Info
Type

record

ts: time &log

Timestamp

src: addr &log

Address initiating the traceroute.

dst: addr &log

Destination address of the traceroute.

proto: string &log

Protocol used for the traceroute.

The log record for the traceroute log.

Events

Traceroute::log_traceroute
Type

event (rec: Traceroute::Info)

Hooks

Traceroute::log_policy
Type

Log::PolicyHook