backdoor_log : file
The file into which alerts about backdoor servers () are written.
backdoor_min_num_lines : count
The number of lines of Fixme: must be telnet? input and output must be more than this amount to trigger backdoor checking.
Note: This variable isconst
, so may only be changed viaredef
.
backdoor_min_normal_line_ratio : double
If the fraction of “normal” (less than a certain length) lines is below this value, then backdoor checking is not performed.
Note: This variable isconst
, so may only be changed viaredef
.
The total number of bytes transferred on the connection must be at least this large in order for backdoor checking to be performed.
Note: This variable isconst
, so may only be changed viaredef
.
backdoor_min_7bit_ascii_ratio : double
The fraction of 7-bit ASCII characters out of all bytes transferred must be at least this large in order for backdoor checking to be performed.
Note: This variable isconst
, so may only be changed viaredef
.
backdoor_demux_disabled : bool
If T (the default), then suspected backdoor connections are not demuxed into sender and receiver streams.
Note: This variable isconst
, so may only be changed viaredef
.
backdoor_demux_skip_tags : set[string]
If the type of backdoor (the tag) is in this set, the connection will not be demuxed.
Note: This variable isconst
, so may only be changed viaredef
.
backdoor_ignore_src_addrs : table[string, addr] of bool
If the suspected backdoor name (“*” for any) and source address (or its /16 or /24) subnet are in this table as a pair, then the backdoor will not be logged.
Note: This variable isconst
, so may only be changed viaredef
.
backdoor_ignore_dst_addrs : table[string, addr] of bool
If the suspected backdoor name (“*” for any) and destination address (or its /16 or /24) subnet are in this table as a pair, then the backdoor will not be logged.
Note: This variable isconst
, so may only be changed viaredef
.
backdoor_ignore_ports : table[string, port] of bool
The following (signature, well-known port) paits should not generated a backdoor alert.
Note: This variable isconst
, so may only be changed viaredef
.
backdoor_standard_ports : set[port]
Seebackdoor_annotate_standard_ports
.
Note: This variable isconst
, so may only be changed viaredef
.
backdoor_stat_period : inverval
A report on backdoor stats is generated at this interval.
Note: This variable isconst
, so may only be changed viaredef
.
backdoor_stat_backoff : interval
Fixme: Not sure about the exact definition here The backdoor report interval (backdoor_stat_period
) is increased by this factor each time it is generated, except if the timers are artificially expired.
Note: This variable isconst
, so may only be changed viaredef
.
backdoor_annotate_standard_ports : bool
If T (the default), backdoors alerts for those onbackdoor_standard_ports
should be annotated with the backdoor tag name.
Note: This variable isconst
, so may only be changed viaredef
.
ssh_sig_disabled : bool
If T (default = F), then matches against the SSH signature are ignored.
Note: This variable isconst
, so may only be changed viaredef
.
telnet_sig_disabled : bool
If T (default = F), then matches against the telnet signature are ignored.
Note: This variable isconst
, so may only be changed viaredef
.
telnet_sig_3byte_disabled : bool
If T (default = F), then matches against the 3-byte telnet signature are ignored.
Note: This variable isconst
, so may only be changed viaredef
.
rlogin_sig_disabled : bool
If T (default = F), then matches against the rlogin signature are ignored.
Note: This variable isconst
, so may only be changed viaredef
.
rlogin_sig_1byte_disabled : bool
If T (default = F), then matches against the 1-byte rlogin signature are ignored.
Note: This variable isconst
, so may only be changed viaredef
.
root_backdoor_sig_disabled : bool
If T (default = F), then matches against the root backdoor signature are ignored.
Note: This variable isconst
, so may only be changed viaredef
.
ftp_sig_disabled : bool
If T (default = F), then matches against the FTP signature are ignored.
Note: This variable isconst
, so may only be changed viaredef
.
napster_sig_disabled : bool
If T (default = F), then matches against the Napster signature are ignored.
Note: This variable isconst
, so may only be changed viaredef
.
gnutella_sig_disabled : bool
If T (default = F), then matches against the Gnutella signature are ignored.
Note: This variable isconst
, so may only be changed viaredef
.
kazaa_sig_disabled : bool
If T (default = F), then matches against the KaZaA signature are ignored.
Note: This variable isconst
, so may only be changed viaredef
.
http_sig_disabled : bool
If T (default = F), then matches against the HTTP signature are ignored.
Note: This variable isconst
, so may only be changed viaredef
.
http_proxy_sig_disabled : bool
If T (default = F), then matches against the HTTP proxy signature are ignored.
Note: This variable isconst
, so may only be changed viaredef
.
did_sigconns : table[conn_id] of set[string]
A table which indicates, for each connection, which backdoor server signatures were found in the connection's traffic, e.g., “ftp-sig” or “napster-sig”.
rlogin_conns : table[conn_id] of rlogin_conn_info
A table that holds relevant state variables (anrlogin_conn_info
record) forrsh
connections.
root_backdoor_sig_conns : set[conn_id]
The set of connections for which a root backdoor signature (“root-bd-sig”) has been detected.
ssh_len_conns : set[conn_id]
The set of connections that are predicted to contain SSH traffic, based on the proportion of packets that meet the expected packet size distribution. Relevant parameters aressh_min_num_pkts
andssh_min_ssh_pkts_ratio
, which are local tobackdoor
.
ssh_min_num_pkts : count
The minimum number of packets that look like SSH packets that allow a stream to be classified as such.
ssh_min_ssh_pkts_ratio : double
The minimum fraction of packets in a stream that look like SSH packets that allow a stream to be classified as such.
Note: This variable isconst
, so may only be changed viaredef
.
telnet_sig_conns : table[conn_id] of count
The set of connections that are predicted to be Telnet connections, based on observation of the Telnet signature, the IAC byte (0xff).
telnet_sig_3byte_conns : table[conn_id] of count
Similar to telnet_sig_conns
, but the signature matched is a
whole 3-byte Telnet command sequence.