scan.zeek¶

Scan¶

TCP Scan detection.

Namespace: Scan
Imports: base/frameworks/notice, base/frameworks/sumstats, base/utils/time.zeek

Summary¶

Redefinable Options¶

`Scan::addr_scan_interval`: `interval` `&redef`	Failed connection attempts are tracked over this time interval for the address scan detection.
`Scan::addr_scan_threshold`: `double` `&redef`	The threshold of the unique number of hosts a scanning host has to have failed connections with on a single port.
`Scan::port_scan_interval`: `interval` `&redef`	Failed connection attempts are tracked over this time interval for the port scan detection.
`Scan::port_scan_threshold`: `double` `&redef`	The threshold of the number of unique ports a scanning host has to have failed connections with on a single victim host.

Redefinitions¶

Notice::Type: enum

Scan::Address_Scan: Address scans detect that a host appears to be scanning some number of destinations on a single port.
Scan::Port_Scan: Port scans detect that an attacking host appears to be scanning a single victim host on several ports.

Hooks¶

`Scan::addr_scan_policy`: `hook`
`Scan::port_scan_policy`: `hook`

Detailed Interface¶

Redefinable Options¶

Scan::addr_scan_interval¶

Type: interval
Attributes: &redef
Default: 5.0 mins

Failed connection attempts are tracked over this time interval for the address scan detection. A higher interval will detect slower scanners, but may also yield more false positives.

Scan::addr_scan_threshold¶

Type: double
Attributes: &redef
Default: 25.0

The threshold of the unique number of hosts a scanning host has to have failed connections with on a single port.

Scan::port_scan_interval¶

Type: interval
Attributes: &redef
Default: 5.0 mins

Failed connection attempts are tracked over this time interval for the port scan detection. A higher interval will detect slower scanners, but may also yield more false positives.

Scan::port_scan_threshold¶

Type: double
Attributes: &redef
Default: 15.0

The threshold of the number of unique ports a scanning host has to have failed connections with on a single victim host.

Hooks¶

Scan::addr_scan_policy¶

Type: hook (scanner: addr, victim: addr, scanned_port: port) : bool

Scan::port_scan_policy¶

Type: hook (scanner: addr, victim: addr, scanned_port: port) : bool