weird variablesThe standard weird script provides the following redefinable variables:
weird_action : table[string] of countDefault: as specified in conn_weird, conn_weird_addl, flow_weird, net_weird,
and Events generated by the standard scripts. As usual, you can change particular
values using refinement. For example:
redef weird_action: table[string] of count += {
[["bad_TCP_checksum", "bad_UDP_checksum"]] = WEIRD_IGNORE,
["fragment_overlap"] = WEIRD_LOG_PER_CONN,
};
would specify to ignore TCP and UDP checksum errors (rather than the default
of WEIRD_FILE), and to alert on fragment overlaps once per connection
in which they occur, rather than the default of WEIRD_LOG_ALWAYS.
weird_action_filters : table[string] of function(c: connection): countWEIRD_UNSPECIFIED
means “no special action, use the action you normally would.”
This variable thus allows arbitrary
customization of the handling of particular events.
Default: empty, for the weird analyzer itself. The
analyzer redefines this variable as follows:
redef weird_action_filters += {
[["bad_RPC", "excess_RPC", "multiple_RPCs",
"partial_RPC"]] = RPC_weird_action_filter,
};
where RPC_weird_action_filter is a function internal to the
analyzer that returns WEIRD_FILE if the originating host
is in , and WEIRD_UNSPECIFIED otherwise.
weird_ignore_host : set[addr, string]Default: empty.
weird_do_not_ignore_repeats : set[string]WEIRD_FILE,
should still be recorded to the weird_file each time they occur.
Default: the events relating to checksum errors, i.e.,
"bad_IP_checksum",
"bad_TCP_checksum",
"bad_UDP_checksum", and
"bad_ICMP_checksum".
These are recorded multiple times because it can prove handy to
be able to track clusters of checksum errors.