signature
ModuleThe signature
module analyzes signature matches
(see Signatures).
For each signature, you can specify one of the actions
defined in Table 7.2.
In addition, the module identifies two types of exploit scans:
horizontal (a host triggers a signature for multiple destinations) and
vertical (a host triggers multiple signature for the same destination).
signature_match (state: signature_state, msg: string, data: string)
event
action (See Actions).
It provides the following redefinable variables:
sig_actions : table[string] of count
Action | Meaning
|
SIG_IGNORE | Ignore the signature completely.
|
SIG_QUIET | Process for scan detection but don't report individually.
|
SIG_FILE | Write matches to signatures-log
|
SIG_LOG | Log matches and write them to signatures-log
|
Table 7.8: Possible actions to take for signatures matches
Default: SIG_FILE
.
horiz_scan_thresholds : set[count]
Default: { 5, 10, 50, 100, 500, 1000}
vert_scan_thresholds : set[count]
Default: { 5, 10, 50, 100, 500, 1000}
The module defines one function for external use:
has_signature_matched (id: string, orig: addr, resp: addr): bool