Releases: cochaviz/botmon
Calibration Functionality
Added --calibrate mode to log per‑window threshold guidance without emitting alerts. Calibration logs include global packet rate avg/max, host rate avg/max per scan mode, and top destination details, plus a null‑test activity flag.
Improved Scanning Detection
Release notes (since v0.1.4)
Highlights
- Horizontal scan detection now uses host IP diversity (not IP/port/proto), with scan labels reflecting hosts only.
- New scan detection modes:
host-rate,new-host-rate, andfiltered-host-rate(default). - Scan classification now derives from local attack results; outbound connection alerts are suppressed during active scans.
Changes
- Destination equality ignores protocol for comparison while still storing it for logging.
- Local behavior is classified first, then used to inform global scan behavior.
- Scan signature text now explicitly references horizontal host-rate scans.
Deprecations
--destination-rate-modeis now a deprecated alias of--scan-detection-mode.
Unbounded memory usage hotfix
Fixes an issue where ringbuffers for taking flow snapshots weren't cleared after each window. In the case of prolonged scanning, this would create an incredibly large map, even if the size of each ringbuffer was bounded.
Full Changelog: v0.1.3...v0.1.4
Packet flushing hotfix
Fixed an issue where window events wouldn't be flushed if constant high traffic was processed.
Improved scanning detection
The global packet rate was previously part of the logic determining a scan. Now, this has been decoupled, and only the destination diversity (number of destinations in the current window that were not in the previous window normalized over window size) now determines scan classification.
Before, attacks and scans were both global behavior, giving some reason to linking the two variables. But given that attacks are now determined per destination, tying a local variable to a global one results in some weird results.
Add versioning information
Full Changelog: v0.1.0...v0.1.1
Initial release
First full-feature release, output will probably change somewhat, but it's mainly stability/predictability for now.