Next: , Previous: analy Analyzer, Up: Analyzers and Events



7.22 The signature Module

The signature module analyzes signature matches (see Signatures). For each signature, you can specify one of the actions defined in Table 7.2. In addition, the module identifies two types of exploit scans: horizontal (a host triggers a signature for multiple destinations) and vertical (a host triggers multiple signature for the same destination).

The module handles one event:

signature_match (state: signature_state, msg: string, data: string)
Invoked upon a match of a signature which contains an event action (See Actions).

It provides the following redefinable variables:

sig_actions : table[string] of count
Maps signature IDs to actions as defined in the table below.

Action Meaning
SIG_IGNORE Ignore the signature completely.
SIG_QUIET Process for scan detection but don't report individually.
SIG_FILE Write matches to signatures-log
SIG_LOG Log matches and write them to signatures-log

Table 7.8: Possible actions to take for signatures matches

Default: SIG_FILE.

horiz_scan_thresholds : set[count]
Generate a log message whenever a remote host triggers a signature for the given number of hosts.

Default: { 5, 10, 50, 100, 500, 1000}

vert_scan_thresholds : set[count]
Generate a log message whenever a remote host triggers the given number of signatures for the same destination.

Default: { 5, 10, 50, 100, 500, 1000}

The module defines one function for external use:

has_signature_matched (id: string, orig: addr, resp: addr): bool
Returns true if the given signature has already matched for the (originator,responder) pair.