next up previous contents index
Next: Predefined Functions Up: Predefined Variables and Functions Previous: Predefined Variables and Functions   Contents   Index

Subsections


Predefined Variables

Bro predefines and responds to the following variables, organized by the policy file in which they are contained. Note that you will only be able to access the variables in a policy file if you @load it or a policy file which @load s it.

active.bro

[active_conn : table[conn_id] of connection] A table of connection records corresponding to all active connections.

alert.bro

[alert_action_filters : table[Alert] of function(a: alert_info): AlertAction] A table that maps each Alert into a function that should be called to determine the action.

[alert_file : file] The file into which alerts are written.

anon.bro

[anon_log : file] The file into which anonymization Fix me: Add a reference to doc on anonymization when it is available. IP address mappings are written.

[preserved_subnet : set[subnet]] Addresses in these subnet are preserved when anonymization is being performed. See also preserved_net.
NOTE: This variable is const, so may only be changed via redef.

[preserved_net : set[net]] These Class A/B/C nets are preserved when anonymization is being performed. See also preserved_subnet.

backdoor.bro

[backdoor_log : file] The file into which alerts about backdoor servers (backdoor) are written.

[backdoor_min_num_lines : count] The number of lines of Fix me: must be telnet? input and output must be more than this amount to trigger backdoor checking.
NOTE: This variable is const, so may only be changed via redef.

[backdoor_min_normal_line_ratio : double] If the fraction of ``normal'' (less than a certain length) lines is below this value, then backdoor checking is not performed.
NOTE: This variable is const, so may only be changed via redef.

[backdoor_min_bytes : count] The total number of bytes transferred on the connection must be at least this large in order for backdoor checking to be performed.
NOTE: This variable is const, so may only be changed via redef.

[backdoor_min_7bit_ascii_ratio : double] The fraction of 7-bit ASCII characters out of all bytes transferred must be at least this large in order for backdoor checking to be performed.
NOTE: This variable is const, so may only be changed via redef.

[backdoor_demux_disabled : bool] If T (the default), then suspected backdoor connections are not demuxed into sender and receiver streams.
NOTE: This variable is const, so may only be changed via redef.

[backdoor_demux_skip_tags : set[string]] If the type of backdoor (the tag) is in this set, the connection will not be demuxed.
NOTE: This variable is const, so may only be changed via redef.

[backdoor_ignore_src_addrs : table[string, addr] of bool] If the suspected backdoor name (``*'' for any) and source address (or its /16 or /24) subnet are in this table as a pair, then the backdoor will not be logged.
NOTE: This variable is const, so may only be changed via redef.

[backdoor_ignore_dst_addrs : table[string, addr] of bool] If the suspected backdoor name (``*'' for any) and destination address (or its /16 or /24) subnet are in this table as a pair, then the backdoor will not be logged.
NOTE: This variable is const, so may only be changed via redef.

[backdoor_ignore_ports : table[string, port] of bool] The following (signature, well-known port) paits should not generated a backdoor alert.
NOTE: This variable is const, so may only be changed via redef.

[backdoor_standard_ports : set[port]] See backdoor_annotate_standard_ports.
NOTE: This variable is const, so may only be changed via redef.

[backdoor_stat_period : interval] A report on backdoor stats is generated at this interval.
NOTE: This variable is const, so may only be changed via redef.

[backdoor_stat_backoff : interval] Fix me: Not sure about the exact definition here The backdoor report interval (backdoor_stat_period) is increased by this factor each time it is generated [, except if the timers are artificially expired].
NOTE: This variable is const, so may only be changed via redef.

[backdoor_annotate_standard_ports : bool] If T (the default), backdoors alerts for those on backdoor_standard_ports should be annotated with the backdoor tag name.
NOTE: This variable is const, so may only be changed via redef.

[ssh_sig_disabled : bool] If T (default = F), then matches against the SSH signature are ignored.
NOTE: This variable is const, so may only be changed via redef.

[telnet_sig_disabled : bool] If T (default = F), then matches against the telnet signature are ignored.
NOTE: This variable is const, so may only be changed via redef.

[telnet_sig_3byte_disabled : bool] If T (default = F), then matches against the 3-byte telnet signature are ignored.
NOTE: This variable is const, so may only be changed via redef.

[rlogin_sig_disabled : bool] If T (default = F), then matches against the rlogin signature are ignored.
NOTE: This variable is const, so may only be changed via redef.

[rlogin_sig_1byte_disabled : bool] If T (default = F), then matches against the 1-byte rlogin signature are ignored.
NOTE: This variable is const, so may only be changed via redef.

[root_backdoor_sig_disabled : bool] If T (default = F), then matches against the root backdoor signature are ignored.
NOTE: This variable is const, so may only be changed via redef.

[ftp_sig_disabled : bool] If T (default = F), then matches against the FTP signature are ignored.
NOTE: This variable is const, so may only be changed via redef.

[napster_sig_disabled : bool] If T (default = F), then matches against the Napster signature are ignored.
NOTE: This variable is const, so may only be changed via redef.

[gnutella_sig_disabled : bool] If T (default = F), then matches against the Gnutella signature are ignored.
NOTE: This variable is const, so may only be changed via redef.

[kazaa_sig_disabled : bool] If T (default = F), then matches against the KaZaA signature are ignored.
NOTE: This variable is const, so may only be changed via redef.

[http_sig_disabled : bool] If T (default = F), then matches against the HTTP signature are ignored.
NOTE: This variable is const, so may only be changed via redef.

[http_proxy_sig_disabled : bool] If T (default = F), then matches against the HTTP proxy signature are ignored.
NOTE: This variable is const, so may only be changed via redef.

[did_sigconns : table[conn_id] of set[string]] A table which indicates, for each connection, which backdoor server signatures were found in the connection's traffic, e.g., ``ftp-sig'' or ``napster-sig''.

[rlogin_conns : table[conn_id] of rlogin_conn_info] A table that holds relevant state variables (an rlogin_conn_info record) for rsh connections.

[root_backdoor_sig_conns : set[conn_id]] The set of connections for which a root backdoor signature (``root-bd-sig'') has been detected.

[ssh_len_conns : set[conn_id]] The set of connections that are predicted to contain SSH traffic, based on the proportion of packets that meet the expected packet size distribution. Relevant parameters are ssh_min_num_pkts and ssh_min_ssh_pkts_ratio, which are local to backdoor.

[ssh_min_num_pkts : count] The minimum number of packets that look like SSH packets that allow a stream to be classified as such.
NOTE: This variable is const, so may only be changed via redef.

[ssh_min_ssh_pkts_ratio : double] The minimum fraction of packets in a stream that look like SSH packets that allow a stream to be classified as such.
NOTE: This variable is const, so may only be changed via redef.

[telnet_sig_conns : table[conn_id] of count] The set of connections that are predicted to be Telnet connections, based on observation of the Telnet signature, the IAC byte (0xff).

[telnet_sig_3byte_conns : table[conn_id] of count] Similar to telnet_sig_conns, but the signature matched is a whole 3-byte Telnet command sequence.

bro.init

[ignore_checksums : bool] If T (default = F), packet checksums are not verified.
NOTE: This variable is const, so may only be changed via redef.

[partial_connection_ok : bool] If T (the default), instantiate connection state when a partial connection (one missing its initial establishment negotiation) is seen.
NOTE: This variable is const, so may only be changed via redef.

[tcp_SYN_ack_ok : bool] If T (the default), instantiate connection state when a SYN ack is seen but not the initial SYN (even if partial_connection_ok is false).
NOTE: This variable is const, so may only be changed via redef.

[tcp_match_undelivered : bool] If a connection state is removed there may still be some undelivered data waiting in the reassembler. If T (the default), pass this to the signature engine before flushing the state.
NOTE: This variable is const, so may only be changed via redef.

[tcp_SYN_timeout : interval] Check up on the result of an initial SYN after this much time. Fix me: What exactly does this mean? Check that the connection is active?
NOTE: This variable is const, so may only be changed via redef.

[tcp_session_timer : interval] After a connection has closed, wait this long for further activity before checking whether to time out its state.
NOTE: This variable is const, so may only be changed via redef.

[tcp_connection_linger : interval] When checking a closed connection for further activity, consider it inactive if there hasn't been any for this long. Complain if the connection is reused before this much time has elapsed.
NOTE: This variable is const, so may only be changed via redef.

[tcp_attempt_delayv : interval] Wait this long upon seeing an initial SYN before timing out the connection attempt.
NOTE: This variable is const, so may only be changed via redef.

[tcp_close_delay : interval] Upon seeing a normal connection close, flush state after this much time.
NOTE: This variable is const, so may only be changed via redef.

[tcp_reset_delay : interval] Upon seeing a RST, flush state after this much time.
NOTE: This variable is const, so may only be changed via redef.

[tcp_partial_close_delay : interval] Generate a connection_partial_close event this much time after one half of a partial connection closes, assuming there has been no subsequent activity.
NOTE: This variable is const, so may only be changed via redef.

[non_analyzed_lifetime : interval] If a connection belongs to an application that we don't analyze, time it out after this interval. If 0 secs, then don't time it out.
NOTE: This variable is const, so may only be changed via redef.

[inactivity_timeout : interval] If a connection is inactive, time it out after this interval. If 0 secs, then don't time it out.
NOTE: This variable is const, so may only be changed via redef.

[tcp_storm_thresh : count] This many FINs/RSTs in a row constitutes a "storm". See also tcp_storm_interarrival_thresh.
NOTE: This variable is const, so may only be changed via redef.

[tcp_storm_interarrival_thresh : interval] The FINs/RSTs must come with this much time or less between them to be considered a storm. See also tcp_storm_thresh.
NOTE: This variable is const, so may only be changed via redef.

[tcp_reassembler_ports_orig : set[port]] For services without a handler, these sets define which side of a connection is to be reassembled. Fix me: What is the point of this exactly? What are you analyzing?
NOTE: This variable is const, so may only be changed via redef.

[tcp_reassembler_ports_resp : set[port]] For services without a handler, these sets define which side of a connection is to be reassembled. Fix me: What is the point of this exactly? What are you analyzing?
NOTE: This variable is const, so may only be changed via redef.

[table_expire_interval : interval] Check for expired table entries after this amount of time Fix me: Which tables?
NOTE: This variable is const, so may only be changed via redef.

[dns_session_timeout : interval] Time to wait before timing out a DNS request.
NOTE: This variable is const, so may only be changed via redef.

[ntp_session_timeout : interval] Time to wait before timing out an NTP request.
NOTE: This variable is const, so may only be changed via redef.

[rpc_timeout : interval] Time to wait before timing out an RPC request.
NOTE: This variable is const, so may only be changed via redef.

[watchdog_interval : interval] A SIGALRM is set for this interval to make sure that Bro does not get caught up doing something for too long. Fix me: True? If this happens, Bro is termination after doing a dump of all remaining packets.
NOTE: This variable is const, so may only be changed via redef.

[heartbeat_interval : interval] After each interval of this length, update the net_stats variable.
NOTE: This variable is const, so may only be changed via redef.

[anonymize_ip_addr : bool] If true (default = false), then IP addresses are anonymized in alert and log generation.
NOTE: This variable is const, so may only be changed via redef.

[omit_rewrite_place_holder : bool] If true, omit place holder packets when rewriting. Fix me: Should this go somewhere else?
NOTE: This variable is const, so may only be changed via redef.

[rewriting_http_trace : bool] If true (default = F), HTTP traces are rewritten.
NOTE: This variable is const, so may only be changed via redef.

[rewriting_smtp_trace : bool] If true (default = F), SMTP traces are rewritten.
NOTE: This variable is const, so may only be changed via redef.

code-red.bro

[code_red_log : file] The file into which Code Red-related alerts are written.

[code_red_list1 : table[addr] of count] A table which contains, for each IP address, how many Code Red I attacks were observed (based on a signature) by the machine at that address.

[code_red_list2 : table[addr] of count] A table which contains, for each IP address, how many Code Red II attacks were observed (based on a signature) by the machine at that address.

[local_code_red_response_pgm : string] By default, an empty string; if &redefed, the specified program will be invoked with the attack source IP as the argument the first time an attack from that IP is observed.

[remote_code_red_response_pgm : string] By default, an empty string; if &redefed, the specified program will be invoked with the attack destination IP as the argument the first time an attack on that IP is observed.

conn.bro

[have_FTP : bool] If true, ftp.bro has been loaded.

[have_SMTP : bool] If true, smtp.bro has been loaded.

[have_stats : bool] True if net_stats was ever updated with packet capture statistics.

[hot_conns_reported : set[string]] The set of connections (indexed by the entire 'hot' message) that have previously been flagged as hot.

[last_stat : net_stats] The last recorded snapshot of packet capture statistics, in a net_stats record.

[last_stat_time : time] The last time that network statistics were read into net_stats.

[RPC_server_map : table[addr, port] of string] Maps a given port on a given server's address to an RPC service. If we haven't loaded portmapper.bro, then it will be empty; see portmapper.bro and the portmapper module documentation for more information.

demux.bro

For more information on demultiplexing of connections, see the demux module(§ ).

[demux_dir : string] The name of the directory which will contain the files with demultiplexed connection data.

[demuxed_conn : set[conn_id]] The set of connections that are currently being demultiplexed.

dns.bro

[actually_rejected_PTR_anno : set[string]] Annotations that if returned for a PTR lookup actually indicate a rejected query; for example, "illegal-address.lbl.gov".
NOTE: This variable is const, so may only be changed via redef.

[sensitive_lookup_hosts : set[addr]] Hosts in this set generate an alert when they are returned in PTR queries, unless the originating host is in sensitive_lookup_hosts.
NOTE: This variable is const, so may only be changed via redef.

[okay_to_lookup_sensitive_hosts : set[addr]] If the DNS request originator is in this set, then it is allowed to look up ``sensitive'' hosts (see also sensitive_lookup_hosts without causing an alert.

[dns_log : file] The file into which DNS-related alerts are written.

[dns_sessions : table[addr, addr] of dns_session_info] A table of outstanding DNS sessions indexed by [client IP, server IP]. Fix me: Need to illustrate dns_sessions_info.

[num_dns_sessions : count] The total number of entries that have ever been in the dns_sessions table.

[distinct_PTR_requests : table[addr, string] of count] The number of DNS PTR requests obseverd with the given source address and request string.

[distinct_rejected_PTR_requests : table[addr] of count] How many DNS PTR requests from the given source address were rejected. A report is generated if this number crosses a threshold, namely, report_rejected_PTR_thresh.

[distinct_answered_PTR_requests : table[addr] of count] How many DNS PTR requests from the given source address were rejected.

[report_rejected_PTR_thresh : count] If this many DNS requests from a host are rejected, generate a possible PTR scan event.

[report_rejected_PTR_factor : double] If DNS requests from a host are rejected more than accepted by this factor, generate a PTR_scan event.

[allow_PTR_scans : set[addr]] The set of hosts for which a PTR_scan event does not generate a report (that is, the scan is allowed).

[did_PTR_scan_event : table[addr] of count] A table of hosts for which a PTR_scan event has been generated.

dns-mapping.bro

[dns_interesting_changes : h]e set of DNS mapping changes (according to lookups by Bro itself) that is interesting enough to alert on.
NOTE: This variable is const, so may only be changed via redef.

finger.bro

[hot_names : set[string]] If a finger request for any of the names in this set is observed, the associated connection is marked ``hot''.
NOTE: This variable is const, so may only be changed via redef.

[max_finger_request_len : count] If a finger request is longer than this length, then it is marked as ``hot''.
NOTE: This variable is const, so may only be changed via redef.

[rewrite_finger_trace : bool] Indicates whether or not finger requests are rewritten for anonymity.

ftp.bro

[ftp_log : file] The file into which FTP-related alerts are written.

[ftp_sessions : table[conn_id] of ftp_session_info]

[ftp_guest_ids : set[string]] The set of login IDs which are guest logins, e.g., ``anonymous'' and ``ftp''.
NOTE: This variable is const, so may only be changed via redef.

[ftp_skip_hot : set[addr, addr, string]] Indexed by source and destination addresses and the id, these connections are not marked as ``hot'' even if its data would to cause it to be otherwise.
NOTE: This variable is const, so may only be changed via redef.

[ftp_hot_files : pattern] If a filename matching this pattern is requested, the ftp_sensitive_file event is generated. The default behavior is to log the connection.
NOTE: This variable is const, so may only be changed via redef.

[ftp_hot_guest_files : pattern] If a user is logged in under a guest ID and attempts to retrieve a file matching this pattern, the ftp_sensitive_file event is generated. The default behavior is to log the connection.
NOTE: This variable is const, so may only be changed via redef.

[ftp_hot_cmds : table[string] of pattern] If an FTP command matches an index into the table and its argument matches the associated pattern, the connection is logged.
NOTE: This variable is const, so may only be changed via redef.

[skip_unexpected : set[addr]] Pairs of IP addresses for which we shouldn't bother logging if one of them is used in lieu of the other in a PORT or PASV directive.

[skip_unexpected_net : set[addr]] Similar to skip_unexpected, but matches a /24 subnet.

[ftp_data_expected : table[addr, port] of addr] Indexed by the server's responder pair, yields the address expected to make an FTP data connection to it.

[ftp_data_expected_session : table[addr, port] of ftp_session_info] Indexed by the server's responder pair, yields the associated ftp_session_info record for the expected incoming FTP data connection.

[ftp_excessive_filename_len : count] If an FTP request filename meets or exceeds this length, an FTP_ExcessiveFilename alert is generated.

[ftp_excessive_filename_trunc_len : count] How much of the excessively long filename is printed in the alert message.

[ftp_ignore_invalid_PORT : pattern] Invalid PORT/PASV directives that exactly match this pattern don't generate alerts.

[ftp_ignore_privileged_PASVs : set[port]] If an FTP PASV port is specified to be a privileged port (< 1024/tcp) then an FTP_PrivPort event is generated, EXCEPT if the port is in this set.

hot.bro

[same_local_net_is_spoof : bool] If true (default = F), it should be considered a spoofing attack if a connection has the same local net for source and destination.
NOTE: This variable is const, so may only be changed via redef.

[allow_spoof_services : set[port]] The services in this set are not counted as spoofed even if they pass the test from same_local_net_is_spoof.
NOTE: This variable is const, so may only be changed via redef.

[allow_pairs : set[addr, addr]] Connections between these (source address, destination address) pairs are never marked as ``hot''.
NOTE: This variable is const, so may only be changed via redef.

[allow_16_net_pairs : set[addr, addr]] Connections between these (/16 network, /32 destination host) pairs are never marked as ``hot''.
NOTE: This variable is const, so may only be changed via redef.

[hot_srcs : table[addr] of string] Connections from any of these sources are automatically marked ``hot'' with the associated message in the table.
NOTE: This variable is const, so may only be changed via redef.

[hot_dsts : table[addr] of string] Connections to any of these destinations are automatically marked ``hot'' with the associated message in the table.
NOTE: This variable is const, so may only be changed via redef.

[hot_src_24nets : table[addr] of string] Connections from any of these source /24 nets are automatically marked ``hot'' with the associated message in the table.
NOTE: This variable is const, so may only be changed via redef.

[hot_dst_24nets : table[addr] of string] Connections to any of these destination /24 nets are automatically marked ``hot'' with the associated message in the table.
NOTE: This variable is const, so may only be changed via redef.

[allow_services : set[port]] Connections to this set of services are never marked ``hot'' (based on port number).
NOTE: This variable is const, so may only be changed via redef.

[allow_services_to : set[addr, port]] Connections to the specified host and port are never marked ``hot''.
NOTE: This variable is const, so may only be changed via redef.

[allow_service_pairs : set[addr, addr, port]] Connections from the first address to the second on the specified destination port are never marked ``hot''.
NOTE: This variable is const, so may only be changed via redef.

[flag_successful_service : table[port] of string] Successful connections to any of the specified ports are flagged with the accompanying message. Examples are popular backdoor ports.
NOTE: This variable is const, so may only be changed via redef.

[flag_successful_inbound_service : table[port] of string] Incoming connections to the specified ports are flagged with the accompanying message. This is similar to flag_successful_service, but may be used when the port gives to many false positives for outgoing connections.
NOTE: This variable is const, so may only be changed via redef.

[terminate_successful_inbound_service : table[port] of string] Connections to this port, if previously flagged by flag_successful_service or flag_successful_incoming_service, are terminated.
NOTE: This variable is const, so may only be changed via redef.

[flag_rejected_service : table[port] of string] Failed connection attempts to the specified ports are marked as ``hot''.
NOTE: This variable is const, so may only be changed via redef.

hot-ids.bro

[forbidden_ids : set[string]] If any of these usernames/login IDs are used, the corresponding connection is terminated.
NOTE: This variable is const, so may only be changed via redef.

[forbidden_ids_if_no_password : set[string]] If any of these usernames/login IDs are used with no password, the corresponding connection is terminated.
NOTE: This variable is const, so may only be changed via redef.

[forbidden_id_patterns : pattern] If a username/login ID matches this pattern, the corresponding connection is terminated.
NOTE: This variable is const, so may only be changed via redef.

[always_hot_ids : set[string]] Connections that attempt to login with these IDs are always marked ``hot'', whether or not they succeed. See also hot_ids.
NOTE: This variable is const, so may only be changed via redef.

[hot_ids : set[string]] Similar to always_hot_ids, except that only successful connections are marked ``hot''.
NOTE: This variable is const, so may only be changed via redef.

http.bro

[http_log : file] The file into which HTTP-related alerts are written.

[http_sessions : table[addr, addr] of http_session_info] A [source, destination] indexed table of http_session_info records.

[include_HTTP_abstract : bool] Currently used to indicate whether or not an abstract of the HTTP request data will be included in a rewritten connection.

[log_HTTP_data : bool] If true, an abstract of the HTTP request data is included in a log message.

[maintain_http_sessions : bool] If true, HTTP sessions are maintained across multiple connections, otherwise we not (which saves some memory).

[process_HTTP_replies : bool] If true, HTTP replies (not just requests) are processed.

[process_HTTP_data : bool] If true, HTTP data is examined as needed (e.g., for making HTTP abstracts, as discussed below).

http-abstract.bro

[http_abstract_max_length : count] The maximum number of bytes used to store an abstract for an HTTP connection.
NOTE: This variable is const, so may only be changed via redef.

http-request.bro

[skip_remote_sensitive_URIs : pattern] URIs matching this pattern should not be considered sensitive if accessed remotely, i.e., by a local client.

[have_skip_remote_sensitive_URIs : bool] Due to a quirk in Bro, this must be redef'ed to T if you want to use skip_remote_sensitive_URIs.
NOTE: This variable is const, so may only be changed via redef.

[sensitive_URIs : pattern] URIs matching this pattern, but not matching worm_URIs, are logged. See also skip_remote_sensitive_URIs, sensitive_post_URIs.
NOTE: This variable is const, so may only be changed via redef.

[worm_URIs : pattern] URIs matching this pattern are not logged even if they match sensitive_URIs, since worms are so common they would clutter the logs.
NOTE: This variable is const, so may only be changed via redef.

[sensitive_post_URIs : pattern] URIs matching this pattern are logged if they are used with the HTTP ``POST'' method (rather than ``GET'').
NOTE: This variable is const, so may only be changed via redef.

icmp.bro

[icmp_flows : table[icmp_flow_id] of icmp_flow_info] A table tracking all ICMP ``flows'' by icmp_flow_id. ``Flows'', which are simply inferred related sequences of packets between two machines, based on ICMP ID, are timed out after (currently) 30 seconds of inactivity.

ident.bro

[hot_ident_ids : set[string]] If any of the User IDs in this set are returned in an ident response, an IdentSensitiveID alert is generated.

[hot_ident_exceptions : set[string]] Exceptions to the hot_ident_ids set.

[public_ident_user_ids : set[string]] User IDs in this set are described as ``public'' in a rewritten ident trace.

[public_ident_systems : set[string]] Operating system names in this set (e.g., ``UNIX'') are reported directly in a rewritten ident trace; other OSes will be reported as ``OTHER''.

[rewrite_ident_trace : bool] If true, traces will be rewritten (partially anonymized).

interconn.bro

[interconn_conns : table [conn_id] of conn_info] A conn_id-indexed table of all currently-tracked interactive connections. The table entries are conn_info records containing some very basic information about the connection.

[interconn_log : file] The file into which generic interactive-connection-related alerts are written.

[interconn_min_interarrival : interval] Used in computing the ``alpha'' parameter, which is used to determine which connections are interactive, based on the distribution of interarrival times. See also interconn_max_interarrival.
NOTE: This variable is const, so may only be changed via redef.

[interconn_max_interarrival : interval] Used in computing the ``alpha'' parameter, which is used to determine which connections are interactive, based on the distribution of interarrival times. See also interconn_min_interarrival.
NOTE: This variable is const, so may only be changed via redef.

[interconn_max_keystroke_pkt_size : count] The maximum packet size used to classify keystroke-containing packets.
NOTE: This variable is const, so may only be changed via redef.

[interconn_default_pkt_size : count] The estimated packet size used to calculate the number of packets missed when we see an ack above a hole. Fix me: Please verify.
NOTE: This variable is const, so may only be changed via redef.

[interconn_stat_period : interval] How often to generate a report of interconn stats.
NOTE: This variable is const, so may only be changed via redef.

[interconn_stat_backoff : double] Fix me: I don't fully understand is_expire in timers. The stat report generation interval (interconn_stat_period) is increased by this factor each time the report is generated [, unless the report is generated because all timers are artifically expired].
NOTE: This variable is const, so may only be changed via redef.

[interconn_min_num_pkts : count] A connection must have this number of packets transferred before it may be classified as interactive.
NOTE: This variable is const, so may only be changed via redef.

[interconn_min_duration : interval] A connection must last least this long before it may be classified as interactive.
NOTE: This variable is const, so may only be changed via redef.

[interconn_ssh_len_disabled : bool] If false (default = T), and at least one side of the connection has partial state (the initial negotiation was missed), then packets are examined to see if they fit the size distribution associated with interactive SSH connections.
NOTE: This variable is const, so may only be changed via redef.

[interconn_min_ssh_pkts_ratio : double] Analogous to ssh_min_ssh_pkts_ratio, except used in the context described in interconn_ssh_len_disabled.
NOTE: This variable is const, so may only be changed via redef.

[interconn_min_bytes : count] The number of bytes transferred on a connection must be at least this high before the connection may be classified as interactive.
NOTE: This variable is const, so may only be changed via redef.

[interconn_min_7bit_ascii_ratio : double] The ratio of 7-bit ASCII characters to total bytes must be at least this high before the connection may be classified as interactive.
NOTE: This variable is const, so may only be changed via redef.

[interconn_min_num_lines : count] The number of lines transferred on a connection must be at least this high before the connection may be classified as interactive.
NOTE: This variable is const, so may only be changed via redef.

[interconn_min_normal_line_ratio : double] The ratio of ``normal'' lines to total lines must be at least this high before the connection may be classified as interactive. A normal line, roughly speaking, is one whose length is within a certain bound. Fix me: Please verify this.
NOTE: This variable is const, so may only be changed via redef.

[interconn_min_alpha : double] The ``alpha'' parameter computed on connection must be at least this high before the connection may be classified as interactive. This parameter measures certain properties of packet interarrival times. See interconn.
NOTE: This variable is const, so may only be changed via redef.

[interconn_min_gamma : double] The ``gamme'' parameter computed on connection must be at least this high before the connection may be classified as interactive.
NOTE: This variable is const, so may only be changed via redef.

[interconn_standard_ports : set[port]] Connections to or from these ports are marked as interactive automatically, unless interconn_ignore_standard_ports is set to true.
NOTE: This variable is const, so may only be changed via redef.

[interconn_ignore_standard_ports : bool] If true (default = F), then all connections are analyzed for interactive patterns, regardless of port. See interconn_standard_ports.
NOTE: This variable is const, so may only be changed via redef.

[interconn_demux_disabled : bool] If false (default = T), then interactive connections are demuxed when being logged.
NOTE: This variable is const, so may only be changed via redef.

login.bro

[input_trouble : pattern] If a user's keystroke input matches this pattern, then an alert is generated.

[edited_input_trouble : pattern] If a user's keystroke input matches this pattern, taking into account backspace and delete characters, then an alert is generated.

[full_input_trouble : pattern] If this pattern is matched in a full line of input, an alert is generated.

[input_wait_for_output : pattern] The same as edited_input_trouble, except that the alert is delayed until the corresponding output is seen, so that both may be logged together.

[output_trouble : pattern] If the login output matches this pattern, an alert is generated.

[full_output_trouble : pattern] Similar to output_trouble, but the pattern must match the entire output.

[backdoor_prompts : pattern] If the login output matches this text, but not non_backdoor_prompts, generate a possible-backdoor alert.

[non_backdoor_prompts : pattern] See backdoor_prompts.

[hot_terminal_types : pattern] If the terminal type used matches this pattern, generate an alert.

[hot_telnet_orig_ports : set[port]] If the source port of a telnet connection is in this set, generate an alert.

[skip_authentication : set[string]] If a string in this set appears where an authentication prompt would normally, skip processing of authentication (typically for an unauthenticated system). Fix me: Please verify.
NOTE: This variable is const, so may only be changed via redef.

[login_prompts : set[string]] The set of strings that are recognized as login prompts anywhere on a line, e.g., ``Login:''.
NOTE: This variable is const, so may only be changed via redef.

[login_failure_msgs : set[string]] If any of these strings appear on a line following an authentication attempt, the attempt is considered to have failed, unless a string from login_non_failure_msgs also appears on the line. This set has higher precedence than login_success_msgs, and the same precedence as login_timeouts.
NOTE: This variable is const, so may only be changed via redef.

[login_non_failure_msgs : set[string]] If any of these strings appear on a line following an authentication attempt, the connection is not considered to have failed even if login_failure_msgs indicates otherwise.
NOTE: This variable is const, so may only be changed via redef.

[login_success_msgs : set[string]] If any of these messages is seen, the connection attempt is assumed to have succeeded. This set has lower precedence than login_failure_msgs and login_timeouts.
NOTE: This variable is const, so may only be changed via redef.

[login_timeouts : set[string]] If any of these messages is seen during the login phase, the connection attempt is assumed to have timed out. This set has higher precedence than login_success_msgs, and the same precedence as login_failure_msgs.
NOTE: This variable is const, so may only be changed via redef.

[router_prompts : pattern] Fix me: Don't know what this is

[non_ASCII_hosts : set[addr]] The set of hosts that do not use ASCII (and to whom logins are thus not processed).

[skip_logins_to : set[addr]] Do not process logins to this set of hosts.

[always_hot_login_ids : pattern] Login names which generate an alert even if the login is not successful.

[hot_login_ids : pattern] Login names which generate an alert, if the login is successful.

[rlogin_id_okay_if_no_password_exposed : set[string]] Login names in this set are those which are normally considered sensitive, but are allowed if the associated password is not exposed.

[login_sessions : table[conn_id] of login_session_info] A table, indexed by connection ID, of login_session_info records, characterizing each login session.

mime.bro

[mime_log : file] MIME message-related alerts are logged to this file.

[mime_sessions : table[conn_id] of mime_session_info] A table, indexed by connection ID, of mime_session_info records, characterizing each MIME session.

[check_relay_3 : function(session: mime_session_info, msg_id: string): bool] Fix me: Don't know about this

[check_relay_4 : function(session: mime_session_info, content_hash: string): bool] Fix me: Don't know about this

ntp.bro

[excessive_ntp_request : count] NTP requests over this length are considered ``excessive'' and will be flagged (marked ``hot'').
NOTE: This variable is const, so may only be changed via redef.

[allow_excessive_ntp_requests : set[addr]] NTP requests from an address in this set are never considered excessively long (see excessive_ntp_request).
NOTE: This variable is const, so may only be changed via redef.

port-names.bro

[port_names : table[port] of string] A mapping of well-known port numbers to the associated service names.
NOTE: This variable is const, so may only be changed via redef.

portmapper.bro

[rpc_programs : table[count] of string] A table correlating numeric RPC service IDs to string names of the services, e.g., [1000000] = ``portmapper''.

[NFS_services : set[string]] A set of string names of NFS-related RPC services.
NOTE: This variable is const, so may only be changed via redef.

[RPC_okay : set[addr, addr, string]] Indexed by the host providing the service, the host requesting it, and the service; do not log Sun portmapper requests from the specified requestor to the specified provider for the specified service.
NOTE: This variable is const, so may only be changed via redef.

[RPC_okay_nets : set[net]] Hosts in any of the networks in this set may make portmapper requests without being flagged.
NOTE: This variable is const, so may only be changed via redef.

[RPC_okay_services : set[string]] Requests for services in this set will not be flagged.
NOTE: This variable is const, so may only be changed via redef.

[NFS_world_servers : set[addr]] Any host may request NFS services from any of the machines in this set without being flagged..
NOTE: This variable is const, so may only be changed via redef.

[any_RPC_okay : set[addr, string]] Indexed by the service provider and the service (in string form); any host may access these services without being flagged.
NOTE: This variable is const, so may only be changed via redef.

[RPC_dump_okay : set[addr, addr]] Indexed by requesting host and providing host, respectively; dumps of RPC portmaps are allowed between these pairs.
NOTE: This variable is const, so may only be changed via redef.

[RPC_do_not_complain : set[string, bool]] Indexed by the portmapper request and a boolean that's T if the request was answered, F it was attempted but not answered. If there's an entry in the set matching the current request/attempt, then the access won't be logged (unless the connection is hot for some other reason).

[suppress_pm_log : set[addr, string]] Indexed by source and portmapper service. If set, we already logged and shouldn't do so again. Fix me: Presumably this can be preloaded with stuff, or we wouldn't need to document it.

rules.bro

[rule_actions : table[string] of count] Decide what to do when each rule (the index into the table) triggers: Ignore the rule (RULE_IGNORE); Process the rule but don't report it individually (RULE_QUIET); Log the match into rule_file (RULE_FILE); Log the match into both rule_file and the overall log file (generate an alert) (RULE_LOG). The default is RULE_FILE.
NOTE: This variable is const, so may only be changed via redef.

[rule_file : file] The file into which rule-based alerts are logged.

[horiz_scan_thresholds : set[count]] Log if for a pair (orig, rule) the number of different responders has reached one of the thresholds in this set.
NOTE: This variable is const, so may only be changed via redef.

[vert_scan_thresholds : set[count]] Log if for a pair (orig, resp) the number of different rule matches has reached one of the thresholds in this set.
NOTE: This variable is const, so may only be changed via redef.

scan.bro

[suppress_scan_checks : bool] If true, we suppress scan checking (we still do account-tried accounting). This is provided because scan checking can consume a lot of memory.

[report_peer_scan : set[count]] When the number of distinct machines connected to by a given external host reaches each of the levels in the set, an alert is generated.

NOTE: This variable is const, so may only be changed via redef.

[report_outbound_peer_scan : set[count]] When the number of distinct machines connected to by a given internal host reaches each of the levels in the set, an alert is generated.

NOTE: This variable is const, so may only be changed via redef.

[num_distinct_peers : table[addr] of count] A table indexed by a host's address which indicates how many distinct machines that host has connected to.

[distinct_peers : set[addr,addr]] A table indexed by source host and target machine that tracks which machines have been scanned by each host.

[num_distinct_ports : table[addr] of count] A table indexed by a host's address which indicates how many distinct ports that host has connected to.

[distinct_ports : set[addr, port]] A table indexed by source host and target port that tracks which ports have been scanned by each host.

[report_port_scan : set[count]] When the number of distinct ports connected to by a given external host reaches each of the levels in the set, an alert is generated.

NOTE: This variable is const, so may only be changed via redef.

[possible_port_scan_thresh : count] If a host tries to connect to more than this number of ports, it is considered a possible scanner.

NOTE: This variable is const, so may only be changed via redef.

[possible_scan_sources : set[addr]] Hosts are put in this set once they have scanned more than possible_port_scan_thresh ports.

[num_scan_triples : table[addr, addr] of count] Indexed by source address and destination address, the number of services scanned for on the latter by the former. This is only tracked for possible_scan_sources.

[scan_triples : set[addr, addr, port]] For possible_scan_sources as a source address, the triples of (source address, destination address, and service/port) scanned.

[accounts_tried : set[addr, string, string]] Which account names were tried, indexed by source address, user name tried, password tried.

[num_accounts_tried : table[addr] of count] How many accounts, as defined by a (user name, password) pair, were tried by the host with the given address.

[report_accounts_tried : set[count]] When the number of distinct accounts (username, password) tried by a given external host reaches each of the levels in the set, an alert is generated.
NOTE: This variable is const, so may only be changed via redef.

[report_remote_accounts_tried : set[count]] When the number of distinct remote accounts (username, password) tried by a given internal host reaches each of the levels in the set, an alert is generated.
NOTE: This variable is const, so may only be changed via redef.

[skip_accounts_tried : set[addr]] Hosts in this set are not subject to alerts based on report_accounts_tried and report_remote_accounts_tried.
NOTE: This variable is const, so may only be changed via redef.

[addl_web : set[port]] Ports in this set are treated as HTTP services.
NOTE: This variable is const, so may only be changed via redef.

[skip_services : set[port]] Connections to ports in this set are ignored for the purposes of scan detection.
NOTE: This variable is const, so may only be changed via redef.

[skip_outbound_services : set[port]] Connections to external machines on ports in this set are ignored for the purposes of scan detection.
NOTE: This variable is const, so may only be changed via redef.

[skip_scan_sources : set[addr]] Hosts in this set are ignored as possible sources of scans.
NOTE: This variable is const, so may only be changed via redef.

[skip_scan_nets_16 : set[addr,port]] Connections matching the specified (source host /16 subnet, port) pairs are ignored for the purpose of scan detection.
NOTE: This variable is const, so may only be changed via redef.

[skip_scan_nets_24 : set[addr,port]] Connections matching the specified (source host /24 subnet, port) pairs are ignored for the purpose of scan detection.
NOTE: This variable is const, so may only be changed via redef.

[backscatter_ports : set[port]] Reverse (SYN-ack) scans seen from these ports are considered to reflect possible SYN flooding backscatter and not true (stealth) scans.
NOTE: This variable is const, so may only be changed via redef.

[num_backscatter_peers : table[addr] of count] Indexed by a host, how many other hosts it connected to with a possible backscatter signature.

[distinct_backscatter_peers : table[addr, addr] of count] A table of [source, destination] observed backscatter activity; the table entry is a count of backscatter packets from the source to the destination.

[report_backscatter : set[count]] When the number of machines that a host has sent backscatter packets to reaches each of the levels in the set, an alert is generated.

Fix me: Need to document connection-dropping related variables.

global can_drop_connectivity = F &redef;
global drop_connectivity_script = "drop-connectivity" &redef;
global connectivity_dropped: set[addr];
const shut_down_scans: set[port] &redef;
const shut_down_all_scans = F &redef;
const shut_down_thresh = 100 &redef;
\indpredefvar{never_shut_down}{set[addr]}
\indpredefvar{never_drop_nets}{set[net]}
\indpredefvar{never_drop_16_nets}{set[net]}
\indpredefvar{did_drop_address}{table[addr] of count}

[root_servers : set[host]] The set of root DNS servers.
NOTE: This variable is const, so may only be changed via redef.

[gtld_servers : set[host]] The set of Generic Top-Level Domain servers (.com, .net, .org, etc.).
NOTE: This variable is const, so may only be changed via redef.

site.bro

[local_nets : set[net]] Class A/B/C networks that are considered ``local''.
NOTE: This variable is const, so may only be changed via redef.

[local_16_nets : set[addr]] /16 address blocks that are considered ``local''. These are derived directly from local_nets. Fix me: Please verify this.
NOTE: This variable is const, so may only be changed via redef.

[local_24_nets : set[addr]] /24 address blocks that are considered ``local''. These are derived directly from local_nets. Fix me: Please verify this.
NOTE: This variable is const, so may only be changed via redef.

[neighbor_nets : set[net]] Class A/B/C networks that are considered ``neighbors''. Note that unlike for local_nets, neighbor_16_nets is not merely a /16 addr version of neighbor_nets, but instead is consulted in addition to neighbor_nets.
NOTE: This variable is const, so may only be changed via redef.

[neighbor_16_nets : set[addr]] /16 address blocks that are considered ``neighbors''. Note that unlike for local_nets, neighbor_16_nets is not merely a /16 addr version of neighbor_nets, but instead is consulted in addition to neighbor_nets.
NOTE: This variable is const, so may only be changed via redef.

smtp.bro

[local_mail_addr : pattern] Email addresses matching this pattern are considered to be local. This is used to detect relaying.

[smtp_log : file] The file into which SMTP-related alerts are written.

[smtp_sessions : table[conn_id] of smtp_session_info] A table of smtp_session_info records tracking SMTP-related state for a given connection.

[process_smtp_relay : bool] If true (default = F), processing is done to check for mail relaying.
NOTE: This variable is const, so may only be changed via redef.

type smtp_session_info: record {
	id: count;
	connection_id: conn_id;
	external_orig: bool;
	in_data: bool;
	num_cmds: count;
	num_replies: count;
	cmds: smtp_cmd_info_list;
	in_header: bool;
	keep_current_header: bool;	# a hack till MIME rewriter is ready
	recipients: string;
	subject: string;
	content_hash: string;
	num_lines_in_body: count;	# lines in RFC 822 body before MIME decoding
	num_bytes_in_body: count;	# bytes in entity bodies after MIME decoding
	content_gap: bool;		# whether there is content gap in conversation

	relay_1_rcpt: string;	# external recipients
	relay_2_from: count; 	# session id of same recipient
	relay_2_to: count;
	relay_3_from: count; 	# session id of same msg id
	relay_3_to: count;
	relay_4_from: count; 	# session id of same content hash
	relay_4_to: count;
};

[smtp_legal_cmds : set[string]] The set of allowed SMTP commands (not currently used). Fix me: Is it used somewhere?
NOTE: This variable is const, so may only be changed via redef.

[smtp_hot_cmds : table[string] of pattern] If an SMTP command matching an index into the table has an argument matching the associated pattern, then the request and its reply are logged.
NOTE: This variable is const, so may only be changed via redef.

[smtp_sensitive_cmds : set[string]] If an SMTP command is in this set, the request and its reply are logged.
NOTE: This variable is const, so may only be changed via redef.

smtp-relay.bro

[relay_log : file] Alerts related to email relaying go in this file.

[smtp_relay_table : table[count] of smtp_session_info] A table indexed by SMTP session ID (session$id) that keeps track of each session in an smtp_session_info record.

[smtp_session_by_recipient : table[string] of smtp_session_info] A table indexed by the recipient that holds the corresponding smtp_session_info record.

[smtp_session_by_message_id : table[string] of smtp_session_info] A table indexed by the email message ID that holds the corresponding smtp_session_info record.

[smtp_session_by_content_hash : table[string] of smtp_session_info] A table indexed by the MD5 hash of the message that holds the corresponding smtp_session_info record. Fix me: Currently unimplemented?

software.bro

[software_file : file] Alerts related to host software detection go in this file.

[software_table : table[addr] of software_set] A table of the software running on each host. A software_set is itself a table, indexed by the name of the software, of software records.

[software_ident_by_major : set[string]] Software names in this set could be installed twice on the same machine with different major version numbers. Such software is identified as ``Software-N'' where N is the major version number, to disambiguate the two.

ssh.bro

[ssh_log : file] Alerts related to ssh connections go in this file.

[did_ssh_version : table[addr, bool] of count] Indexed by host IP and (T for client, F for server), the table tracks if we have recorded the SSH version. Values of one and greater are essentially equivalent.

stepping.bro

[step_log : file] Alerts related to stepping-stone detection go in this file.

[display_pairs : table[addr, string] of connection] If <conn> was a login to <dst> propagating a $DISPLAY of <display>, then we make an entry of [<dst>, <display>] = <conn>.

[tag_to_conn_map : table[string] of connection] Maps login tags like "Last login ..." to connections.

[conn_tag_info : table[conn_id] of tag_info] A table, indexed by connection ID, of the tag_info related to it. Roughly, ``tag info'' consists of login strings like ``Last login'' and $DISPLAY variables. Since this information can stay constant across stepping stones, it is used to detect them.

[detected_stones : table[addr, port, addr, port, addr, port, addr, port] of count] Indexed by two pairs of connections: (addr,port)->(addr,port) and (addr,port)->(addr,port) that have been detected to be multiple links in a stepping stone chain. The table value is the ``score'' of the pair of connections; the higher the score, the more likely it is to be a real stepping stone pair. More points are assigned for a timing-based correlation than, say, a $DISPLAY-based correlation.

[did_stone_summary : table[addr, port, addr, port, addr, port, addr, port] of count] Basically tracks which suspected stepping stone connection pairs have had alerts generated for them. See detected_stones for the indexing scheme.

[stp_delta : interval]
NOTE: This variable is const, so may only be changed via redef.

[stp_idle_min : interval]
NOTE: This variable is const, so may only be changed via redef.

[stp_ratio_thresh : double] For timing correlations, the proportion of idle times that must match up for the correlation to be considered significant.

NOTE: This variable is const, so may only be changed via redef.

[stp_scale : double]

NOTE: This variable is const, so may only be changed via redef.

[stp_common_host_thresh : count]

NOTE: This variable is const, so may only be changed via redef.

[stp_random_pair_thresh : count]

NOTE: This variable is const, so may only be changed via redef.

[stp_demux_disabled : count]

NOTE: This variable is const, so may only be changed via redef.

[skip_clear_ssh_reports : set[addr, string]]

NOTE: This variable is const, so may only be changed via redef.

tftp.bro

[tftp_alert_count : table[addr] of count] Keeps track of the number of observed outbound TFTP connections from each host.

udp.bro

[udp_req_count : table[conn_id] of count] Keeps track of the number of UDP requests sent over each connection.

[udp_rep_count : table[conn_id] of count] Fix me: not really sure

[udp_did_summary : table[conn_id] of count] Keeps track of which connections have been summarized/recorded Fix me: what is it really? do people use this?

weird.bro

[weird_log : file] Alerts related to weird (unexpected or inconsistent) traffic go in this file.

[weird_action : table[string] of WeirdAction] A table of what to do (a WeirdAction) when faced with a particular ``weird'' scenario (the index). Example include logging to the special ``weird'' file or ignoring the condition.

[weird_action_filters : table[string] of function(c: connection): WeirdAction] If an entry exists in this table for a given weird situation, then the corresponding entry is used to determine what action to take; the default is to look in weird_action.

[weird_ignore_host : set[addr, string]] (host, weird condition) pairs in this set are ignored for the purposes of reporting.
NOTE: This variable is const, so may only be changed via redef.

[weird_do_not_ignore_repeats : set[string]] The included alert conditions are reported even if they are repeated.
NOTE: This variable is const, so may only be changed via redef.

worm.bro

[worm_log : file] The file into which worm-detection-related alerts are written.

[worm_list : table[addr] of count] A table of infected hosts, indexed by the infected hosts' addresses. The value is how many times the instance has been seen sending packets.

[worm_type_list : table[addr, string] of count] A table of infected hosts, indexed by host address and type of worm. The value is how many times that particular worm has been seen on the host.

Uncategorized

Fix me: These need categorization.

[bro_log_file : file] Used to record the messages logged by log statements.

Default: stderr, unless you @load the log analyzer; see §  for further discussion.

[capture_filter : string] Specifies what packets Bro's filter should record (§ ).

[direct_login_prompts : set[string]] Strings that when seen in a login dialog indicate that the user will be directly logged in after entering their username, without requiring a password (§ ).

[discarder_maxlen : int] The maximum amount of data that Bro should pass to a TCP or UDP discarder (§ ).

Default: 128 bytes.

[done_with_network : bool] Set to true when Bro is done reading from the network (or from the save files being played back, per § ). The variable is set by a handler for net_done.

Default: initially set to false.

[interfaces : string] A blank-separated list of network interfaces from which Bro should read network traffic. Bro merges packets from the interfaces according to their timestamps. Deficiency: All interfaces must have the same link layer type.

If empty, then Bro does not read any network traffic, unless one or more interfaces are specified using the -i flag.

Note: interfaces has an &add_func that allows you to add interfaces to the list simply using a += initialization (§ ).

Default: empty.

[max_timer_expires : count] Sets an upper limit on how many pending timers Bro will expire per newly arriving packet. If set to 0, then Bro expires all pending timers whose time has come or past. This variable trades off timer accuracy and memory requirements (because a number of Bro's internal timers relate to expiring state) with potentially bursty load spikes due to a lot of timers expiring at the same time, which can trigger the watchdog, if active.

[restrict_filter : string] Restricts what packets Bro's filter should record (§ ).


next up previous contents index
Next: Predefined Functions Up: Predefined Variables and Functions Previous: Predefined Variables and Functions   Contents   Index
Vern Paxson 2004-03-21