base/frameworks/signatures/main.zeek

Signatures

Script level signature support. See the signature documentation for more information about Zeek’s signature engine.

Namespace:

Signatures

Imports:

base/frameworks/notice

Summary

Runtime Options

Signatures::ignored_ids: pattern &redef

Signature IDs that should always be ignored.

Signatures::summary_interval: interval &redef

The interval between when Signatures::Signature_Summary notices are generated.

Redefinable Options

Signatures::count_thresholds: set &redef

Generate a notice if a Signatures::SIG_COUNT_PER_RESP signature is triggered as often as given by one of these thresholds.

Signatures::horiz_scan_thresholds: set &redef

Generate a notice if, for a pair [orig, signature], the number of different responders has reached one of the thresholds.

Signatures::vert_scan_thresholds: set &redef

Generate a notice if, for a pair [orig, resp], the number of different signature matches has reached one of the thresholds.

State Variables

Signatures::actions: table &redef &default = Signatures::SIG_ALARM

Actions for a signature.

Types

Signatures::Action: enum

These are the default actions you can apply to signature matches.

Signatures::Info: record

The record type which contains the column fields of the signature log.

Redefinitions

Log::ID: enum

The signature logging stream identifier.

Notice::Type: enum

Add various signature-related notice types.

Events

Signatures::log_signature: event

This event can be handled to access/alter data about to be logged to the signature logging stream.

Hooks

Signatures::log_policy: Log::PolicyHook

A default logging policy hook for the stream.

Detailed Interface

Runtime Options

Signatures::ignored_ids
Type:

pattern

Attributes:

&redef

Default:
/^?(NO_DEFAULT_MATCHES)$?/
Redefinition:

from policy/misc/detect-traceroute/main.zeek

+=:

/^?(traceroute-detector.*)$?/
Redefinition:

from policy/protocols/http/detect-webapps.zeek

+=:

/^?(^webapp-)$?/

Signature IDs that should always be ignored.

Signatures::summary_interval
Type:

interval

Attributes:

&redef

Default:

1.0 day

The interval between when Signatures::Signature_Summary notices are generated.

Redefinable Options

Signatures::count_thresholds
Type:

set [count]

Attributes:

&redef

Default:
{
   1000,
   10000,
   500,
   5,
   10,
   100,
   50,
   1000000
}

Generate a notice if a Signatures::SIG_COUNT_PER_RESP signature is triggered as often as given by one of these thresholds.

Signatures::horiz_scan_thresholds
Type:

set [count]

Attributes:

&redef

Default:
{
   1000,
   500,
   5,
   10,
   100,
   50
}

Generate a notice if, for a pair [orig, signature], the number of different responders has reached one of the thresholds.

Signatures::vert_scan_thresholds
Type:

set [count]

Attributes:

&redef

Default:
{
   1000,
   500,
   5,
   10,
   100,
   50
}

Generate a notice if, for a pair [orig, resp], the number of different signature matches has reached one of the thresholds.

State Variables

Signatures::actions
Type:

table [string] of Signatures::Action

Attributes:

&redef &default = Signatures::SIG_ALARM

Default:
{
   ["unspecified"] = Signatures::SIG_IGNORE
}

Actions for a signature. Can be updated dynamically.

Types

Signatures::Action
Type:

enum

Signatures::SIG_IGNORE

Ignore this signature completely (even for scan detection). Don’t write to the signatures logging stream.

Signatures::SIG_QUIET

Process through the various aggregate techniques, but don’t report individually and don’t write to the signatures logging stream.

Signatures::SIG_LOG

Generate a notice.

Signatures::SIG_FILE_BUT_NO_SCAN

The same as Signatures::SIG_LOG, but ignore for aggregate/scan processing.

Signatures::SIG_ALARM

Generate a notice and set it to be alarmed upon.

Signatures::SIG_ALARM_PER_ORIG

Alarm once per originator.

Signatures::SIG_ALARM_ONCE

Alarm once and then never again.

Signatures::SIG_COUNT_PER_RESP

Count signatures per responder host and alarm with the Signatures::Count_Signature notice if a threshold defined by Signatures::count_thresholds is reached.

Signatures::SIG_SUMMARY

Don’t alarm, but generate per-orig summary.

These are the default actions you can apply to signature matches. All of them write the signature record to the logging stream unless declared otherwise.

Signatures::Info
Type:

record

Fields:
ts: time &log

The network time at which a signature matching type of event to be logged has occurred.

uid: string &log &optional

A unique identifier of the connection which triggered the signature match event.

src_addr: addr &log &optional

The host which triggered the signature match event.

src_port: port &log &optional

The host port on which the signature-matching activity occurred.

dst_addr: addr &log &optional

The destination host which was sent the payload that triggered the signature match.

dst_port: port &log &optional

The destination host port which was sent the payload that triggered the signature match.

note: Notice::Type &log

Notice associated with signature event.

sig_id: string &log &optional

The name of the signature that matched.

event_msg: string &log &optional

A more descriptive message of the signature-matching event.

sub_msg: string &log &optional

Extracted payload data or extra message.

sig_count: count &log &optional

Number of sigs, usually from summary count.

host_count: count &log &optional

Number of hosts, from a summary count.

The record type which contains the column fields of the signature log.

Events

Signatures::log_signature
Type:

event (rec: Signatures::Info)

This event can be handled to access/alter data about to be logged to the signature logging stream.

Parameters:

rec – The record of signature data about to be logged.

Hooks

Signatures::log_policy
Type:

Log::PolicyHook

A default logging policy hook for the stream.