mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
37 lines
1.5 KiB
Text
37 lines
1.5 KiB
Text
# DESCRIPTION:
|
|
#
|
|
# This file is used by the report generator to assign scores to
|
|
# certain types of alerts. Use this file to increase the likelyhood
|
|
# that a certain type of alarm is successful. The scores listed
|
|
# in this file will be added to any scores derived by the report
|
|
# generator. The format is -> ALERT_TYPE<white space>SCORE
|
|
#
|
|
# The score derived by the report generator is influenced by certain
|
|
# traffic patterns. If an alarm is generated and a connection is
|
|
# seen coming from the victim host back to the suspect host this will
|
|
# drive the score past the $ALARM_THRESHOLD. Also an alarm generated by
|
|
# a host from the internal network will likely produce a score higher
|
|
# than the $ALARM_THRESHOLD. This functionality only affects alarms
|
|
# which produce an incident.
|
|
#
|
|
# EXAMPLE:
|
|
# Lets assume you have created a custom alert type of
|
|
# "Employee_Did_Something_Bad". Lets also assume that this alarm
|
|
# is triggered only under certain conditions and you know the alarm is
|
|
# always correct or of great interest. To make this always show up in
|
|
# the report set the score to something equal to or higher than the
|
|
# $ALARM_THRESHOLD (default: 100).
|
|
#
|
|
# NOTES:
|
|
#
|
|
# The only alert type that cannot be given a score is
|
|
# "SensitiveSignature". Instead signatures are given their own
|
|
# scores specified in their meta-data. (still in the works)
|
|
#
|
|
|
|
TRWAddressSca 40
|
|
WeirdActivit 1
|
|
PortScan 20
|
|
PasswordGuessing 60
|
|
MultipleSignature 20
|
|
_DEFAULT_ 0
|