policy/misc/scan.zeek¶
-
Scan
¶
TCP Scan detection.
- Namespace
Scan
- Imports
base/frameworks/notice, base/frameworks/sumstats, base/utils/time.zeek
Summary¶
Redefinable Options¶
Failed connection attempts are tracked over this time interval for the address scan detection. |
|
The threshold of the unique number of hosts a scanning host has to have failed connections with on a single port. |
|
Failed connection attempts are tracked over this time interval for the port scan detection. |
|
The threshold of the number of unique ports a scanning host has to have failed connections with on a single victim host. |
Redefinitions¶
|
Detailed Interface¶
Redefinable Options¶
- Scan::addr_scan_interval¶
-
Failed connection attempts are tracked over this time interval for the address scan detection. A higher interval will detect slower scanners, but may also yield more false positives.
- Scan::addr_scan_threshold¶
-
The threshold of the unique number of hosts a scanning host has to have failed connections with on a single port.
- Scan::port_scan_interval¶
-
Failed connection attempts are tracked over this time interval for the port scan detection. A higher interval will detect slower scanners, but may also yield more false positives.
- Scan::port_scan_threshold¶
-
The threshold of the number of unique ports a scanning host has to have failed connections with on a single victim host.