main.bro¶

Signatures¶

Script level signature support. See the signature documentation for more information about Bro’s signature engine.

Namespace:	Signatures
Imports:	base/frameworks/notice
Source File:	`/scripts/base/frameworks/signatures/main.bro`

Summary¶

Runtime Options¶

`Signatures::ignored_ids`: `pattern` `&redef`	Signature IDs that should always be ignored.
`Signatures::summary_interval`: `interval` `&redef`	The interval between when `Signatures::Signature_Summary` notices are generated.

Redefinable Options¶

`Signatures::actions`: `table` `&redef` `&default` = `Signatures::SIG_ALARM` `&optional`	Actions for a signature.
`Signatures::count_thresholds`: `set` `&redef`	Generate a notice if a `Signatures::SIG_COUNT_PER_RESP` signature is triggered as often as given by one of these thresholds.
`Signatures::horiz_scan_thresholds`: `set` `&redef`	Generate a notice if, for a pair [orig, signature], the number of different responders has reached one of the thresholds.
`Signatures::vert_scan_thresholds`: `set` `&redef`	Generate a notice if, for a pair [orig, resp], the number of different signature matches has reached one of the thresholds.

Types¶

`Signatures::Action`: `enum`	These are the default actions you can apply to signature matches.
`Signatures::Info`: `record`	The record type which contains the column fields of the signature log.

Redefinitions¶

`Log::ID`: `enum`	The signature logging stream identifier.
`Notice::Type`: `enum`	Add various signature-related notice types.

Events¶

Signatures::log_signature: event This event can be handled to access/alter data about to be logged to the signature logging stream.

Detailed Interface¶

Runtime Options¶

Signatures::ignored_ids¶

Type:	`pattern`
Attributes:	`&redef`
Default:

/(^?(^?(^webapp-)$?)$?)|(^?((^?(^?(traceroute-detector.*)$?)$?)|(^?(^?(NO_DEFAULT_MATCHES)$?)$?))$?)/

Signature IDs that should always be ignored.

Signatures::summary_interval¶

Type:	`interval`
Attributes:	`&redef`
Default:	`1.0 day`

The interval between when Signatures::Signature_Summary notices are generated.

Redefinable Options¶

Signatures::actions¶

Type:	`table` [`string`] of `Signatures::Action`
Attributes:	`&redef` `&default` = `Signatures::SIG_ALARM` `&optional`
Default:

{
   ["unspecified"] = Signatures::SIG_IGNORE
}

Actions for a signature.

Signatures::count_thresholds¶

Type:	`set` [`count`]
Attributes:	`&redef`
Default:

Generate a notice if a Signatures::SIG_COUNT_PER_RESP signature is triggered as often as given by one of these thresholds.

Signatures::horiz_scan_thresholds¶

Type:	`set` [`count`]
Attributes:	`&redef`
Default:

Generate a notice if, for a pair [orig, signature], the number of different responders has reached one of the thresholds.

Signatures::vert_scan_thresholds¶

Type:	`set` [`count`]
Attributes:	`&redef`
Default:

Generate a notice if, for a pair [orig, resp], the number of different signature matches has reached one of the thresholds.

Types¶

Signatures::Action¶

Type:

Type:	`enum` `Signatures::SIG_IGNORE`¶ Ignore this signature completely (even for scan detection). Don’t write to the signatures logging stream. `Signatures::SIG_QUIET`¶ Process through the various aggregate techniques, but don’t report individually and don’t write to the signatures logging stream. `Signatures::SIG_LOG`¶ Generate a notice. `Signatures::SIG_FILE_BUT_NO_SCAN`¶ The same as `Signatures::SIG_LOG`, but ignore for aggregate/scan processing. `Signatures::SIG_ALARM`¶ Generate a notice and set it to be alarmed upon. `Signatures::SIG_ALARM_PER_ORIG`¶ Alarm once per originator. `Signatures::SIG_ALARM_ONCE`¶ Alarm once and then never again. `Signatures::SIG_COUNT_PER_RESP`¶ Count signatures per responder host and alarm with the `Signatures::Count_Signature` notice if a threshold defined by `Signatures::count_thresholds` is reached. `Signatures::SIG_SUMMARY`¶ Don’t alarm, but generate per-orig summary.

enum

Signatures::SIG_IGNORE¶: Ignore this signature completely (even for scan detection). Don’t write to the signatures logging stream.

Signatures::SIG_QUIET¶: Process through the various aggregate techniques, but don’t report individually and don’t write to the signatures logging stream.

Signatures::SIG_LOG¶: Generate a notice.

Signatures::SIG_FILE_BUT_NO_SCAN¶: The same as Signatures::SIG_LOG, but ignore for aggregate/scan processing.

Signatures::SIG_ALARM¶: Generate a notice and set it to be alarmed upon.

Signatures::SIG_ALARM_PER_ORIG¶: Alarm once per originator.

Signatures::SIG_ALARM_ONCE¶: Alarm once and then never again.

Signatures::SIG_COUNT_PER_RESP¶: Count signatures per responder host and alarm with the Signatures::Count_Signature notice if a threshold defined by Signatures::count_thresholds is reached.

Signatures::SIG_SUMMARY¶: Don’t alarm, but generate per-orig summary.

These are the default actions you can apply to signature matches. All of them write the signature record to the logging stream unless declared otherwise.

Signatures::Info¶

Type:

Type:	`record` ts: `time` `&log` The network time at which a signature matching type of event to be logged has occurred. uid: `string` `&log` `&optional` A unique identifier of the connection which triggered the signature match event. src_addr: `addr` `&log` `&optional` The host which triggered the signature match event. src_port: `port` `&log` `&optional` The host port on which the signature-matching activity occurred. dst_addr: `addr` `&log` `&optional` The destination host which was sent the payload that triggered the signature match. dst_port: `port` `&log` `&optional` The destination host port which was sent the payload that triggered the signature match. note: `Notice::Type` `&log` Notice associated with signature event. sig_id: `string` `&log` `&optional` The name of the signature that matched. event_msg: `string` `&log` `&optional` A more descriptive message of the signature-matching event. sub_msg: `string` `&log` `&optional` Extracted payload data or extra message. sig_count: `count` `&log` `&optional` Number of sigs, usually from summary count. host_count: `count` `&log` `&optional` Number of hosts, from a summary count.

record

ts: time &log: The network time at which a signature matching type of event to be logged has occurred.
uid: string &log &optional: A unique identifier of the connection which triggered the signature match event.
src_addr: addr &log &optional: The host which triggered the signature match event.
src_port: port &log &optional: The host port on which the signature-matching activity occurred.
dst_addr: addr &log &optional: The destination host which was sent the payload that triggered the signature match.
dst_port: port &log &optional: The destination host port which was sent the payload that triggered the signature match.
note: Notice::Type &log: Notice associated with signature event.
sig_id: string &log &optional: The name of the signature that matched.
event_msg: string &log &optional: A more descriptive message of the signature-matching event.
sub_msg: string &log &optional: Extracted payload data or extra message.
sig_count: count &log &optional: Number of sigs, usually from summary count.
host_count: count &log &optional: Number of hosts, from a summary count.

The record type which contains the column fields of the signature log.

Events¶

Signatures::log_signature¶

Type:	`event` (rec: `Signatures::Info`)

This event can be handled to access/alter data about to be logged to the signature logging stream.

Rec:	The record of signature data about to be logged.

base/frameworks/signatures/main.bro¶

Summary¶

Runtime Options¶

Redefinable Options¶

Types¶

Redefinitions¶

Events¶

Detailed Interface¶

Runtime Options¶

Redefinable Options¶

Types¶

Events¶

Table of Contents

Next Page

Previous Page

base/frameworks/signatures/main.bro¶

Summary¶

Runtime Options¶

Redefinable Options¶

Types¶

Redefinitions¶

Events¶

Detailed Interface¶

Runtime Options¶

Redefinable Options¶

Types¶

Events¶

Table of Contents

Next Page

Previous Page

Search