backdoorbro - Bro Reference Guide

Next: broinit, Previous: anonbro, Up: Predefined Variables

6.1.4 backdoor.bro

backdoor_log : file

The file into which alerts about backdoor servers () are written.

backdoor_min_num_lines : count

The number of lines of Fixme: must be telnet? input and output must be more than this amount to trigger backdoor checking.
Note: This variable is const, so may only be changed via redef.

backdoor_min_normal_line_ratio : double

If the fraction of “normal” (less than a certain length) lines is below this value, then backdoor checking is not performed.
Note: This variable is const, so may only be changed via redef.

backdoor_min_bytes : count

The total number of bytes transferred on the connection must be at least this large in order for backdoor checking to be performed.
Note: This variable is const, so may only be changed via redef.

backdoor_min_7bit_ascii_ratio : double

The fraction of 7-bit ASCII characters out of all bytes transferred must be at least this large in order for backdoor checking to be performed.
Note: This variable is const, so may only be changed via redef.

backdoor_demux_disabled : bool

If T (the default), then suspected backdoor connections are not demuxed into sender and receiver streams.
Note: This variable is const, so may only be changed via redef.

backdoor_demux_skip_tags : set[string]

If the type of backdoor (the tag) is in this set, the connection will not be demuxed.
Note: This variable is const, so may only be changed via redef.

backdoor_ignore_src_addrs : table[string, addr] of bool

If the suspected backdoor name (“*” for any) and source address (or its /16 or /24) subnet are in this table as a pair, then the backdoor will not be logged.
Note: This variable is const, so may only be changed via redef.

backdoor_ignore_dst_addrs : table[string, addr] of bool

If the suspected backdoor name (“*” for any) and destination address (or its /16 or /24) subnet are in this table as a pair, then the backdoor will not be logged.
Note: This variable is const, so may only be changed via redef.

backdoor_ignore_ports : table[string, port] of bool

The following (signature, well-known port) paits should not generated a backdoor alert.
Note: This variable is const, so may only be changed via redef.

backdoor_standard_ports : set[port]

See backdoor_annotate_standard_ports.
Note: This variable is const, so may only be changed via redef.

backdoor_stat_period : inverval

A report on backdoor stats is generated at this interval.
Note: This variable is const, so may only be changed via redef.

backdoor_stat_backoff : interval

Fixme: Not sure about the exact definition here The backdoor report interval (backdoor_stat_period) is increased by this factor each time it is generated, except if the timers are artificially expired.
Note: This variable is const, so may only be changed via redef.

backdoor_annotate_standard_ports : bool

If T (the default), backdoors alerts for those on backdoor_standard_ports should be annotated with the backdoor tag name.
Note: This variable is const, so may only be changed via redef.

ssh_sig_disabled : bool

If T (default = F), then matches against the SSH signature are ignored.
Note: This variable is const, so may only be changed via redef.

telnet_sig_disabled : bool

If T (default = F), then matches against the telnet signature are ignored.
Note: This variable is const, so may only be changed via redef.

telnet_sig_3byte_disabled : bool

If T (default = F), then matches against the 3-byte telnet signature are ignored.
Note: This variable is const, so may only be changed via redef.

rlogin_sig_disabled : bool

If T (default = F), then matches against the rlogin signature are ignored.
Note: This variable is const, so may only be changed via redef.

rlogin_sig_1byte_disabled : bool

If T (default = F), then matches against the 1-byte rlogin signature are ignored.
Note: This variable is const, so may only be changed via redef.

root_backdoor_sig_disabled : bool

If T (default = F), then matches against the root backdoor signature are ignored.
Note: This variable is const, so may only be changed via redef.

ftp_sig_disabled : bool

If T (default = F), then matches against the FTP signature are ignored.
Note: This variable is const, so may only be changed via redef.

napster_sig_disabled : bool

If T (default = F), then matches against the Napster signature are ignored.
Note: This variable is const, so may only be changed via redef.

gnutella_sig_disabled : bool

If T (default = F), then matches against the Gnutella signature are ignored.
Note: This variable is const, so may only be changed via redef.

kazaa_sig_disabled : bool

If T (default = F), then matches against the KaZaA signature are ignored.
Note: This variable is const, so may only be changed via redef.

http_sig_disabled : bool

If T (default = F), then matches against the HTTP signature are ignored.
Note: This variable is const, so may only be changed via redef.

http_proxy_sig_disabled : bool

If T (default = F), then matches against the HTTP proxy signature are ignored.
Note: This variable is const, so may only be changed via redef.

did_sigconns : table[conn_id] of set[string]

A table which indicates, for each connection, which backdoor server signatures were found in the connection's traffic, e.g., “ftp-sig” or “napster-sig”.

rlogin_conns : table[conn_id] of rlogin_conn_info

A table that holds relevant state variables (an rlogin_conn_info record) for rsh connections.

root_backdoor_sig_conns : set[conn_id]

The set of connections for which a root backdoor signature (“root-bd-sig”) has been detected.

ssh_len_conns : set[conn_id]

The set of connections that are predicted to contain SSH traffic, based on the proportion of packets that meet the expected packet size distribution. Relevant parameters are ssh_min_num_pkts and ssh_min_ssh_pkts_ratio, which are local to backdoor.

ssh_min_num_pkts : count

The minimum number of packets that look like SSH packets that allow a stream to be classified as such.

ssh_min_ssh_pkts_ratio : double

The minimum fraction of packets in a stream that look like SSH packets that allow a stream to be classified as such.
Note: This variable is const, so may only be changed via redef.

telnet_sig_conns : table[conn_id] of count

The set of connections that are predicted to be Telnet connections, based on observation of the Telnet signature, the IAC byte (0xff).

telnet_sig_3byte_conns : table[conn_id] of count

Similar to telnet_sig_conns, but the signature matched is a whole 3-byte Telnet command sequence.