Permalink
Browse files

Removed files

  • Loading branch information...
1 parent 9a5f6d1 commit 8000e5162bc429948368ea92e39c05cdc4ac0159 @alsmola committed Mar 30, 2011
Showing with 0 additions and 1,378 deletions.
  1. +0 −161 images/bro-notice-types.txt
  2. +0 −1,217 images/broview.ai
View
@@ -1,161 +0,0 @@
-AckAboveHole
-weird
-Could mean packet drop; could also be a faulty TCP implementation
-AddressDropIgnored
-scan
-A request to drop connectivity has been ignored ; (scan detected, but one of these flags is true: !can drop connectivity, or never shut down, or never drop nets )
-AddressDropped
-scan
-Connectivity w/ given address has been dropped
-AddressScan
-scan
-The source has scanned a number of addrs
-BackscatterSeen
-scan
-Apparent flooding backscatter seen from source
-ClearToEncrypted_SS
-stepping
-A stepping stone was seen in which the first part of the chain is a clear-text connection but the second part is encrypted. This often means that a password or passphrase has been exposed in the clear, and may also mean that the user has an incomplete notion that their connection is protected from eavesdropping.
-ContentGap
-weird
-Data has sequence hole; perhaps due to filtering
-CountSignature
-signatures
-Signature has triggered multiple times for a destination
-DNS::DNS_MappingChanged
-DNS
-Some sort of change WRT previous Bro lookup
-DNS::DNS_PTR_Scan
-dns
-Summary of a set of PTR lookups (automatically generated once/day when dns policy is loaded)
-DroppedPackets
-netstats
-Number of packets dropped as reported by the packet filter
-FTP::FTP_BadPort
-ftp
-Bad format in PORT/PASV;
-FTP::FTP_
-ExcessiveFilename
-ftp
-Very long filename seen
-FTP::FTP_PrivPort
-ftp
-Privileged port used in PORT/PASV
-
-FTP::FTP_Sensitive
-ftp
-Sensitive connection (as defined in hot )
-FTP::FTP_UnexpectedConn
-ftp
-FTP data transfer from unexpected src
-HTTP::HTTP_SensitiveURI
-http
-Sensitive URI in GET/POST/HEAD
-(default sensitive URIs defined http-request.bro; e.g.: /etc.*\/.*(passwd|shadow|netconfig)
-HotEmailRecipient
-smtp
-XXX Need Example, default = NULL
-ICMP::ICMPAsymPayloadicmp
-Payload in echo req-resp not the same
-ICMP::ICMPConnectionPair
-icmp
-Too many ICMPs between hosts (default = 200)
-IdentSensitiveID
-ident
-Sensitive username in Ident lookup
-LocalWorm
-worm
-Worm seen in local host (searches for code red 1, code red 2, nimda, slammer)
-LoginForbiddenButConfused
-login
-Interactive login seen using forbidden username, but the analyzer was confused in following the login dialog, so may be in error.
-MultipleSigResponders
-signatures
-host has triggered the same signature on multiple responders
-MultipleSignatures
-signatures
-host has triggered many signatures
-MultipleSigResponders
-signatures
-host has triggered the same signature on multiple responders
-OutboundTFTP
-tftp
-outbound TFTP seen
-PasswordGuessing
-scan
-source tried too many user/password combinations (default = 25)
-PortScan
-scan
-the source has scanned a number of ports
-RemoteWorm
-worm
-worm seen in remote host
-ResolverInconsistency
-dns
-the answer returned by a DNS server differs from one previously returned
-ResourceSummary
-print-resources
-prints Bro resource usage
-RetransmissionInconsistency
-weird
-possible evasion; usually just bad TCP implementation
-SSL_SessConIncon
-ssl
-session data not consistent with connection
-SSL_X509Violation
-ssl
-blanket X509 error
-ScanSummary
-scan
-a summary of scanning activity, output once / day
-SensitiveConnection
-conn
-connection marked "hot", See: Reference Manual section on hot ids for more information.
-SensitiveDNS_Lookup
-dns
-DNS lookup of sensitive hostname/addr; default list of sensitive hosts = NULL
-SensitiveLogin
-login
-interactive login using sensitive username (defined in ’hot’)
-SensitivePortmapperAccess
-portmapper
-the given combination of the service looked up via the portmapper, the host requesting the lookup, and the host from which it’s requesting it is deemed sensitive
-SensitiveSignature
-signatures
-generic for alarm-worthy
-SensitiveUsernameInPassword
-login
-During a login dialog, a sensitive username (e.g., "rewt") was seen in the user’s password. This is reported as a notice because it could be that the login analyzer didn’t track the authentication dialog correctly, and in fact what it thinks is the user’s password is instead the user’s username.
-SignatureSummary
-signatures
-summarize number of times a host triggered a signature (default = 1/day)
-SynFloodEnd
-synflood
-end of syn-flood against a certain victim. A syn-flood is defined to be more than SYN- FLOOD THRESHOLD (default = 15000) new connections have been reported within the last SYNFLOOD INTERVAL (default = 60 seconds) for a certain IP.
-SynFloodStart
-synflood
-start of syn-flood against a certain victim
-SynFloodStatus
-synflood
-report of ongoing syn-flood
-TRWAddressScan
-trw
-source flagged as scanner by TRW
-algorithm
-TRWScanSummary
-trw
-summary of scanning activities reported by TRW
-TerminatingConnection
-conn
-"rst" command sent to connection origin, connection terminated, triggered in the following policies: ftp and login: forbidden user id, hot (connection from host with spoofed IP address)
-
-W32B_SourceLocal
-blaster
-report a local W32.Blaster-infected host
-W32B_SourceRemote
-blaster
-report a remote W32.Blaster-infected host
-WeirdActivity
-Weird
-generic unusual, alarm-worthy activity
-
Oops, something went wrong.

0 comments on commit 8000e51

Please sign in to comment.