base/frameworks/signatures/main.bro
-
Signatures
Script level signature support. See the
signature documentation for more
information about Bro’s signature engine.
Detailed Interface
Runtime Options
-
Signatures::ignored_ids
-
/(^?(^?(^webapp-)$?)$?)|(^?((^?(^?(traceroute-detector.*)$?)$?)|(^?(^?(NO_DEFAULT_MATCHES)$?)$?))$?)/
Signature IDs that should always be ignored.
-
Signatures::summary_interval
-
The interval between when Signatures::Signature_Summary
notices are generated.
Redefinable Options
-
Signatures::actions
-
{
["unspecified"] = Signatures::SIG_IGNORE
}
Actions for a signature.
-
Signatures::count_thresholds
-
{
500,
10,
1000,
50,
1000000,
5,
10000,
100
}
Generate a notice if a Signatures::SIG_COUNT_PER_RESP
signature is triggered as often as given by one of these thresholds.
-
Signatures::horiz_scan_thresholds
-
{
500,
10,
1000,
50,
5,
100
}
Generate a notice if, for a pair [orig, signature], the number of
different responders has reached one of the thresholds.
-
Signatures::vert_scan_thresholds
-
{
500,
10,
1000,
50,
5,
100
}
Generate a notice if, for a pair [orig, resp], the number of
different signature matches has reached one of the thresholds.
Types
-
Signatures::Action
Type: | enum
-
Signatures::SIG_IGNORE
Ignore this signature completely (even for scan detection).
Don’t write to the signatures logging stream.
-
Signatures::SIG_QUIET
Process through the various aggregate techniques, but don’t
report individually and don’t write to the signatures logging
stream.
-
Signatures::SIG_LOG
Generate a notice.
-
Signatures::SIG_FILE_BUT_NO_SCAN
The same as Signatures::SIG_LOG , but ignore for
aggregate/scan processing.
-
Signatures::SIG_ALARM
Generate a notice and set it to be alarmed upon.
-
Signatures::SIG_ALARM_PER_ORIG
Alarm once per originator.
-
Signatures::SIG_ALARM_ONCE
Alarm once and then never again.
-
Signatures::SIG_COUNT_PER_RESP
Count signatures per responder host and alarm with the
Signatures::Count_Signature notice if a threshold
defined by Signatures::count_thresholds is reached.
-
Signatures::SIG_SUMMARY
Don’t alarm, but generate per-orig summary.
|
These are the default actions you can apply to signature matches.
All of them write the signature record to the logging stream unless
declared otherwise.
-
Signatures::Info
Type: | record
- ts:
time &log
The network time at which a signature matching type of event
to be logged has occurred.
- uid:
string &log &optional
A unique identifier of the connection which triggered the
signature match event.
- src_addr:
addr &log &optional
The host which triggered the signature match event.
- src_port:
port &log &optional
The host port on which the signature-matching activity
occurred.
- dst_addr:
addr &log &optional
The destination host which was sent the payload that
triggered the signature match.
- dst_port:
port &log &optional
The destination host port which was sent the payload that
triggered the signature match.
- note:
Notice::Type &log
Notice associated with signature event.
- sig_id:
string &log &optional
The name of the signature that matched.
- event_msg:
string &log &optional
A more descriptive message of the signature-matching event.
- sub_msg:
string &log &optional
Extracted payload data or extra message.
- sig_count:
count &log &optional
Number of sigs, usually from summary count.
- host_count:
count &log &optional
Number of hosts, from a summary count.
|
The record type which contains the column fields of the signature log.
Events
-
Signatures::log_signature
-
This event can be handled to access/alter data about to be logged
to the signature logging stream.
Rec: | The record of signature data about to be logged. |