Each individual signature has the format
signature
id{
attribute-set}
id
is an unique label for the signature. There are two types of
attributes: conditions and actions. The conditions define
when the signature matches, while the actions declare what to do in the case of a match. Conditions can be further divided into
four types: header, content, dependency, and
context. We will discuss these in more detail in the following
subsections.
This is an example of a signature:
signature formmail-cve-1999-0172 { ip-proto == tcp dst-ip == 1.2.0.0/16 dst-port = 80 http /.*formmail.*\?.*recipient=[^&]*[;|]/ event "formmail shell command" }