Browse files

Initial commit

  • Loading branch information...
0 parents commit 9a5f6d1d47e97d8fd7aa90e5be37e760698f712f @alsmola committed Mar 30, 2011
@@ -0,0 +1,161 @@
+Could mean packet drop; could also be a faulty TCP implementation
+A request to drop connectivity has been ignored ; (scan detected, but one of these flags is true: !can drop connectivity, or never shut down, or never drop nets )
+Connectivity w/ given address has been dropped
+The source has scanned a number of addrs
+Apparent flooding backscatter seen from source
+A stepping stone was seen in which the first part of the chain is a clear-text connection but the second part is encrypted. This often means that a password or passphrase has been exposed in the clear, and may also mean that the user has an incomplete notion that their connection is protected from eavesdropping.
+Data has sequence hole; perhaps due to filtering
+Signature has triggered multiple times for a destination
+Some sort of change WRT previous Bro lookup
+Summary of a set of PTR lookups (automatically generated once/day when dns policy is loaded)
+Number of packets dropped as reported by the packet filter
+Bad format in PORT/PASV;
+Very long filename seen
+Privileged port used in PORT/PASV
+Sensitive connection (as defined in hot )
+FTP data transfer from unexpected src
+Sensitive URI in GET/POST/HEAD
+(default sensitive URIs defined http-request.bro; e.g.: /etc.*\/.*(passwd|shadow|netconfig)
+XXX Need Example, default = NULL
+Payload in echo req-resp not the same
+Too many ICMPs between hosts (default = 200)
+Sensitive username in Ident lookup
+Worm seen in local host (searches for code red 1, code red 2, nimda, slammer)
+Interactive login seen using forbidden username, but the analyzer was confused in following the login dialog, so may be in error.
+host has triggered the same signature on multiple responders
+host has triggered many signatures
+host has triggered the same signature on multiple responders
+outbound TFTP seen
+source tried too many user/password combinations (default = 25)
+the source has scanned a number of ports
+worm seen in remote host
+the answer returned by a DNS server differs from one previously returned
+prints Bro resource usage
+possible evasion; usually just bad TCP implementation
+session data not consistent with connection
+blanket X509 error
+a summary of scanning activity, output once / day
+connection marked "hot", See: Reference Manual section on hot ids for more information.
+DNS lookup of sensitive hostname/addr; default list of sensitive hosts = NULL
+interactive login using sensitive username (defined in ’hot’)
+the given combination of the service looked up via the portmapper, the host requesting the lookup, and the host from which it’s requesting it is deemed sensitive
+generic for alarm-worthy
+During a login dialog, a sensitive username (e.g., "rewt") was seen in the user’s password. This is reported as a notice because it could be that the login analyzer didn’t track the authentication dialog correctly, and in fact what it thinks is the user’s password is instead the user’s username.
+summarize number of times a host triggered a signature (default = 1/day)
+end of syn-flood against a certain victim. A syn-flood is defined to be more than SYN- FLOOD THRESHOLD (default = 15000) new connections have been reported within the last SYNFLOOD INTERVAL (default = 60 seconds) for a certain IP.
+start of syn-flood against a certain victim
+report of ongoing syn-flood
+source flagged as scanner by TRW
+summary of scanning activities reported by TRW
+"rst" command sent to connection origin, connection terminated, triggered in the following policies: ftp and login: forbidden user id, hot (connection from host with spoofed IP address)
+report a local W32.Blaster-infected host
+report a remote W32.Blaster-infected host
+generic unusual, alarm-worthy activity
Oops, something went wrong.

0 comments on commit 9a5f6d1

Please sign in to comment.