scan
variablesIn addition to internal variables for its bookkeeping, the analyzer provides the following redefinable variables:
report_peer_scan : set[count]
Generate a log message whenever a remote host (as determined by
is_local_address
) has attempted to connect to the given
number of distinct hosts.
Default: { 100, 1000, 10000, }
. So, for example, if
a remote host attempts to connect to 3,500 different local hosts,
a report will be generated when it makes the 100th attempt, and
another when it makes the 1,000th attempt.
report_outbound_peer_scan : set[count]
report_peer_scan
, except for connections
initiated locally.
Default: { 1000, 10000, }
.
possible_port_scan_thresh : count
Default: 25
.
report_accounts_tried : set[count]
Default: { 25, 100, 500, }
.
report_remote_accounts_tried : set[count]
Default: { 100, 500, }
.
skip_accounts_tried : set[addr]
Default: empty.
skip_outbound_services : set[port]
Default: allow_services
, ftp
, addl_web
(see next item).
addl_web : set[port]
Default: { 81/tcp, 443/tcp, 8000/tcp, 8001/tcp, 8080/tcp, }
.
skip_scan_sources : set[addr]
Default: scooter.pa-x.dec.com
, scooter2.av.pa-x.dec.com
(AltaVista crawlers; you get the idea.)
skip_scan_nets_24 : set[addr, port]
Default: empty.
can_drop_connectivity : bool
drop_address
.
Default: false.
shut_down_scans : set[port]
shut_down_all_scans
is defined (next item).
Default: empty.
shut_down_all_scans : bool
shut_down_scans
and simply drop all scans regardless of
service.
Default: false.
shut_down_thresh : count
Default: 100
.
never_shut_down : set[addr]
Default: the root name servers (a.root-servers.net
through
m.root-servers.net
).