policy/misc/scan.zeek

Scan

TCP Scan detection.

Namespace:Scan
Imports:base/frameworks/notice, base/frameworks/sumstats, base/utils/time.zeek

Summary

Redefinable Options

Scan::addr_scan_interval: interval &redef Failed connection attempts are tracked over this time interval for the address scan detection.
Scan::addr_scan_threshold: double &redef The threshold of the unique number of hosts a scanning host has to have failed connections with on a single port.
Scan::port_scan_interval: interval &redef Failed connection attempts are tracked over this time interval for the port scan detection.
Scan::port_scan_threshold: double &redef The threshold of the number of unique ports a scanning host has to have failed connections with on a single victim host.

Redefinitions

Notice::Type: enum
  • Scan::Address_Scan: Address scans detect that a host appears to be scanning some number of destinations on a single port.
  • Scan::Port_Scan: Port scans detect that an attacking host appears to be scanning a single victim host on several ports.

Detailed Interface

Redefinable Options

Scan::addr_scan_interval
Type:interval
Attributes:&redef
Default:5.0 mins

Failed connection attempts are tracked over this time interval for the address scan detection. A higher interval will detect slower scanners, but may also yield more false positives.

Scan::addr_scan_threshold
Type:double
Attributes:&redef
Default:25.0

The threshold of the unique number of hosts a scanning host has to have failed connections with on a single port.

Scan::port_scan_interval
Type:interval
Attributes:&redef
Default:5.0 mins

Failed connection attempts are tracked over this time interval for the port scan detection. A higher interval will detect slower scanners, but may also yield more false positives.

Scan::port_scan_threshold
Type:double
Attributes:&redef
Default:15.0

The threshold of the number of unique ports a scanning host has to have failed connections with on a single victim host.

Hooks

Scan::addr_scan_policy
Type:hook (scanner: addr, victim: addr, scanned_port: port) : bool
Scan::port_scan_policy
Type:hook (scanner: addr, victim: addr, scanned_port: port) : bool