next up previous contents index
Next: The SSL Analyzer Up: Analyzers and Events Previous: The analy Analyzer   Contents   Index


The signature Module

The signature module analyzes signature matches (see § ). For each signature, you can specify one of the actions defined in Table [*]. In addition, the module identifies two types of exploit scans: horizontal (a host triggers a signature for multiple destinations) and vertical (a host triggers multiple signature for the same destination).


Table: Possible actions to take for signatures matches. signatures-log defaults to open_log_file("signatures").
Action Meaning
SIG_IGNORE Ignore the signature completely.
SIG_QUIET Process for scan detection but don't report individually.
SIG_FILE Write matches to signatures-log
SIG_LOG Log matches and write them to signatures-log


The module handles one event:

[signature_match (state: signature_state, msg: string, data: string)] Invoked upon a match of a signature which contains an event action (§ ).

It provides the following redefinable variables:

[sig_actions : table[string] of count] Maps signature IDs to actions as defined in Table [*].

Default: SIG_FILE.

[horiz_scan_thresholds : set[count]] Generate a log message whenever a remote host triggers a signature for the given number of hosts.

Default: { 5, 10, 50, 100, 500, 1000}

[vert_scan_thresholds : set[count]] Generate a log message whenever a remote host triggers the given number of signatures for the same destination.

Default: { 5, 10, 50, 100, 500, 1000}

The module defines one function for external use:

[has_signature_matchedid: string, orig: addr, resp: addr): bool ] Returns true if the given signature has already matched for the (originator,responder) pair.


next up previous contents index
Next: The SSL Analyzer Up: Analyzers and Events Previous: The analy Analyzer   Contents   Index
Vern Paxson 2004-03-21