base/frameworks/signatures/main.bro

Signatures

Script level signature support. See the signature documentation for more information about Bro’s signature engine.

Namespace:Signatures
Imports:base/frameworks/notice
Source File:/scripts/base/frameworks/signatures/main.bro

Summary

Runtime Options

Signatures::ignored_ids: pattern &redef Signature IDs that should always be ignored.
Signatures::summary_interval: interval &redef The interval between when Signatures::Signature_Summary notices are generated.

Redefinable Options

Signatures::actions: table &redef &default = Signatures::SIG_ALARM &optional Actions for a signature.
Signatures::count_thresholds: set &redef Generate a notice if a Signatures::SIG_COUNT_PER_RESP signature is triggered as often as given by one of these thresholds.
Signatures::horiz_scan_thresholds: set &redef Generate a notice if, for a pair [orig, signature], the number of different responders has reached one of the thresholds.
Signatures::vert_scan_thresholds: set &redef Generate a notice if, for a pair [orig, resp], the number of different signature matches has reached one of the thresholds.

Types

Signatures::Action: enum These are the default actions you can apply to signature matches.
Signatures::Info: record The record type which contains the column fields of the signature log.

Redefinitions

Log::ID: enum The signature logging stream identifier.
Notice::Type: enum Add various signature-related notice types.

Events

Signatures::log_signature: event This event can be handled to access/alter data about to be logged to the signature logging stream.

Detailed Interface

Runtime Options

Signatures::ignored_ids
Type:pattern
Attributes:&redef
Default:
/(^?(^?(^webapp-)$?)$?)|(^?((^?(^?(traceroute-detector.*)$?)$?)|(^?(^?(NO_DEFAULT_MATCHES)$?)$?))$?)/

Signature IDs that should always be ignored.

Signatures::summary_interval
Type:interval
Attributes:&redef
Default:1.0 day

The interval between when Signatures::Signature_Summary notices are generated.

Redefinable Options

Signatures::actions
Type:table [string] of Signatures::Action
Attributes:&redef &default = Signatures::SIG_ALARM &optional
Default:
{
   ["unspecified"] = Signatures::SIG_IGNORE
}

Actions for a signature.

Signatures::count_thresholds
Type:set [count]
Attributes:&redef
Default:
{
   500,
   10,
   1000,
   50,
   1000000,
   5,
   10000,
   100
}

Generate a notice if a Signatures::SIG_COUNT_PER_RESP signature is triggered as often as given by one of these thresholds.

Signatures::horiz_scan_thresholds
Type:set [count]
Attributes:&redef
Default:
{
   500,
   10,
   1000,
   50,
   5,
   100
}

Generate a notice if, for a pair [orig, signature], the number of different responders has reached one of the thresholds.

Signatures::vert_scan_thresholds
Type:set [count]
Attributes:&redef
Default:
{
   500,
   10,
   1000,
   50,
   5,
   100
}

Generate a notice if, for a pair [orig, resp], the number of different signature matches has reached one of the thresholds.

Types

Signatures::Action
Type:

enum

Signatures::SIG_IGNORE

Ignore this signature completely (even for scan detection). Don’t write to the signatures logging stream.

Signatures::SIG_QUIET

Process through the various aggregate techniques, but don’t report individually and don’t write to the signatures logging stream.

Signatures::SIG_LOG

Generate a notice.

Signatures::SIG_FILE_BUT_NO_SCAN

The same as Signatures::SIG_LOG, but ignore for aggregate/scan processing.

Signatures::SIG_ALARM

Generate a notice and set it to be alarmed upon.

Signatures::SIG_ALARM_PER_ORIG

Alarm once per originator.

Signatures::SIG_ALARM_ONCE

Alarm once and then never again.

Signatures::SIG_COUNT_PER_RESP

Count signatures per responder host and alarm with the Signatures::Count_Signature notice if a threshold defined by Signatures::count_thresholds is reached.

Signatures::SIG_SUMMARY

Don’t alarm, but generate per-orig summary.

These are the default actions you can apply to signature matches. All of them write the signature record to the logging stream unless declared otherwise.

Signatures::Info
Type:

record

ts: time &log

The network time at which a signature matching type of event to be logged has occurred.

uid: string &log &optional

A unique identifier of the connection which triggered the signature match event.

src_addr: addr &log &optional

The host which triggered the signature match event.

src_port: port &log &optional

The host port on which the signature-matching activity occurred.

dst_addr: addr &log &optional

The destination host which was sent the payload that triggered the signature match.

dst_port: port &log &optional

The destination host port which was sent the payload that triggered the signature match.

note: Notice::Type &log

Notice associated with signature event.

sig_id: string &log &optional

The name of the signature that matched.

event_msg: string &log &optional

A more descriptive message of the signature-matching event.

sub_msg: string &log &optional

Extracted payload data or extra message.

sig_count: count &log &optional

Number of sigs, usually from summary count.

host_count: count &log &optional

Number of hosts, from a summary count.

The record type which contains the column fields of the signature log.

Events

Signatures::log_signature
Type:event (rec: Signatures::Info)

This event can be handled to access/alter data about to be logged to the signature logging stream.

Rec:The record of signature data about to be logged.
Copyright 2016, The Bro Project. Last updated on January 10, 2019. Created using Sphinx 1.7.5.