Tuning Scan Detection
There are a large number of tunable parameters in the scan analyzer, all of which
are described in the reference manual. Most of these parameters should be fine for all sites. The only settings
that you may want to tune are:
- report_peer_scan: Generate a log message whenever a remote host has attempted to connect to the given number of distinct hosts. Default = { 100, 1000, 10000, }.
- report_outbound_peer_scan: Generate a log message whenever a local host has attempted to connect to the given number of remost hosts. Default = { 100, 1000, }.
- skip_services: list of ports to ignore scans on, because they often gets scanned
by legitimate (or at least common) services. The default list can be found
in the brolite.bro file.
If you want enable ICMP scan detection, set these:
redef ICMP::detect_scans = T;
redef ICMP::scan_threshold = 100;