Permalink
Browse files

Initial commit

  • Loading branch information...
0 parents commit 9a5f6d1d47e97d8fd7aa90e5be37e760698f712f @alsmola committed Mar 30, 2011
@@ -0,0 +1,161 @@
+AckAboveHole
+weird
+Could mean packet drop; could also be a faulty TCP implementation
+AddressDropIgnored
+scan
+A request to drop connectivity has been ignored ; (scan detected, but one of these flags is true: !can drop connectivity, or never shut down, or never drop nets )
+AddressDropped
+scan
+Connectivity w/ given address has been dropped
+AddressScan
+scan
+The source has scanned a number of addrs
+BackscatterSeen
+scan
+Apparent flooding backscatter seen from source
+ClearToEncrypted_SS
+stepping
+A stepping stone was seen in which the first part of the chain is a clear-text connection but the second part is encrypted. This often means that a password or passphrase has been exposed in the clear, and may also mean that the user has an incomplete notion that their connection is protected from eavesdropping.
+ContentGap
+weird
+Data has sequence hole; perhaps due to filtering
+CountSignature
+signatures
+Signature has triggered multiple times for a destination
+DNS::DNS_MappingChanged
+DNS
+Some sort of change WRT previous Bro lookup
+DNS::DNS_PTR_Scan
+dns
+Summary of a set of PTR lookups (automatically generated once/day when dns policy is loaded)
+DroppedPackets
+netstats
+Number of packets dropped as reported by the packet filter
+FTP::FTP_BadPort
+ftp
+Bad format in PORT/PASV;
+FTP::FTP_
+ExcessiveFilename
+ftp
+Very long filename seen
+FTP::FTP_PrivPort
+ftp
+Privileged port used in PORT/PASV
+
+FTP::FTP_Sensitive
+ftp
+Sensitive connection (as defined in hot )
+FTP::FTP_UnexpectedConn
+ftp
+FTP data transfer from unexpected src
+HTTP::HTTP_SensitiveURI
+http
+Sensitive URI in GET/POST/HEAD
+(default sensitive URIs defined http-request.bro; e.g.: /etc.*\/.*(passwd|shadow|netconfig)
+HotEmailRecipient
+smtp
+XXX Need Example, default = NULL
+ICMP::ICMPAsymPayloadicmp
+Payload in echo req-resp not the same
+ICMP::ICMPConnectionPair
+icmp
+Too many ICMPs between hosts (default = 200)
+IdentSensitiveID
+ident
+Sensitive username in Ident lookup
+LocalWorm
+worm
+Worm seen in local host (searches for code red 1, code red 2, nimda, slammer)
+LoginForbiddenButConfused
+login
+Interactive login seen using forbidden username, but the analyzer was confused in following the login dialog, so may be in error.
+MultipleSigResponders
+signatures
+host has triggered the same signature on multiple responders
+MultipleSignatures
+signatures
+host has triggered many signatures
+MultipleSigResponders
+signatures
+host has triggered the same signature on multiple responders
+OutboundTFTP
+tftp
+outbound TFTP seen
+PasswordGuessing
+scan
+source tried too many user/password combinations (default = 25)
+PortScan
+scan
+the source has scanned a number of ports
+RemoteWorm
+worm
+worm seen in remote host
+ResolverInconsistency
+dns
+the answer returned by a DNS server differs from one previously returned
+ResourceSummary
+print-resources
+prints Bro resource usage
+RetransmissionInconsistency
+weird
+possible evasion; usually just bad TCP implementation
+SSL_SessConIncon
+ssl
+session data not consistent with connection
+SSL_X509Violation
+ssl
+blanket X509 error
+ScanSummary
+scan
+a summary of scanning activity, output once / day
+SensitiveConnection
+conn
+connection marked "hot", See: Reference Manual section on hot ids for more information.
+SensitiveDNS_Lookup
+dns
+DNS lookup of sensitive hostname/addr; default list of sensitive hosts = NULL
+SensitiveLogin
+login
+interactive login using sensitive username (defined in ’hot’)
+SensitivePortmapperAccess
+portmapper
+the given combination of the service looked up via the portmapper, the host requesting the lookup, and the host from which it’s requesting it is deemed sensitive
+SensitiveSignature
+signatures
+generic for alarm-worthy
+SensitiveUsernameInPassword
+login
+During a login dialog, a sensitive username (e.g., "rewt") was seen in the user’s password. This is reported as a notice because it could be that the login analyzer didn’t track the authentication dialog correctly, and in fact what it thinks is the user’s password is instead the user’s username.
+SignatureSummary
+signatures
+summarize number of times a host triggered a signature (default = 1/day)
+SynFloodEnd
+synflood
+end of syn-flood against a certain victim. A syn-flood is defined to be more than SYN- FLOOD THRESHOLD (default = 15000) new connections have been reported within the last SYNFLOOD INTERVAL (default = 60 seconds) for a certain IP.
+SynFloodStart
+synflood
+start of syn-flood against a certain victim
+SynFloodStatus
+synflood
+report of ongoing syn-flood
+TRWAddressScan
+trw
+source flagged as scanner by TRW
+algorithm
+TRWScanSummary
+trw
+summary of scanning activities reported by TRW
+TerminatingConnection
+conn
+"rst" command sent to connection origin, connection terminated, triggered in the following policies: ftp and login: forbidden user id, hot (connection from host with spoofed IP address)
+
+W32B_SourceLocal
+blaster
+report a local W32.Blaster-infected host
+W32B_SourceRemote
+blaster
+report a remote W32.Blaster-infected host
+WeirdActivity
+Weird
+generic unusual, alarm-worthy activity
+
Oops, something went wrong.

0 comments on commit 9a5f6d1

Please sign in to comment.