policy/misc/detect-traceroute/main.zeek
- Traceroute
This script detects a large number of ICMP Time Exceeded messages heading toward hosts that have sent low TTL packets. It generates a notice when the number of ICMP Time Exceeded messages for a source-destination pair exceeds a threshold.
- Namespace:
Traceroute
- Imports:
Summary
Redefinable Options
Interval at which to watch for the
|
|
Defines the threshold for ICMP Time Exceeded messages for a src-dst pair. |
|
By default this script requires that any host detected running traceroutes first send low TTL packets (TTL < 10) to the traceroute destination host. |
Types
The log record for the traceroute log. |
Redefinitions
|
|
Events
Hooks
Detailed Interface
Redefinable Options
- Traceroute::icmp_time_exceeded_interval
-
Interval at which to watch for the
Traceroute::icmp_time_exceeded_threshold
variable to be crossed. At the end of each interval the counter is reset.
- Traceroute::icmp_time_exceeded_threshold
-
Defines the threshold for ICMP Time Exceeded messages for a src-dst pair. This threshold only comes into play after a host is found to be sending low TTL packets.
- Traceroute::require_low_ttl_packets
-
By default this script requires that any host detected running traceroutes first send low TTL packets (TTL < 10) to the traceroute destination host. Changing this setting to F will relax the detection a bit by solely relying on ICMP time-exceeded messages to detect traceroute.
Types
Events
- Traceroute::log_traceroute
- Type:
event
(rec:Traceroute::Info
)