Feature #59: ThreatPattern Extensions - ThreatFactor NSIA - LukeMurphey.net

Feature #59

ThreatPattern Extensions

Added by Luke Murphey about 14 years ago. Updated over 13 years ago.

Status:

New

Priority:

Normal

Assignee:

Category:

Scan Engine

Target version:

Start date:

04/08/2010

Due date:

% Done:

Description

ThreatSignatures could have more power if they supported extensions that could be used inside of definitions. These extensions could be used to perform operations not typically available within ThreatSignatures. Below is an example of the syntax that may be used:

Extension.HTTP.Header["Server"] = "/Apache.*/i";
Extension.HTTP.Cookie("auth", true) != "/[A-F0-9]{,32}/i";

The actual function to process the extension would include the following function prototype:

boolean matchedExtension(
    String extensionName, //"Extension.HTTP.Cookie" 
    String[] arguments, //"auth", "true" 
    boolean notFlagSet, //true
    String operand ); //"/[A-F0-9]{,32}/i"

History

#1 Updated by Luke Murphey over 13 years ago

Category set to Scan Engine

Also available in: Atom PDF

Project

General

Profile

ThreatFactor NSIA

Issues

Custom queries

Feature #59

ThreatPattern Extensions

History

#1 Updated by Luke Murphey over 13 years ago