ThreatPattern Definitions » History » Version 1
Version 1/15
-
Next » -
Current version
Luke Murphey, 04/03/2010 12:54 AM
ThreatPattern Definitions¶
ThreatPattern's similar in concept to the signatures used by the Snort IDS system. Below is a sample rule:
Alert("Abuse.DataHiding.Rar_File_In_Jpeg"){
Message="A JPEG file with a RAR file appended was observed";
Severity="Low";
ID=1000194;
Version=1;
BasicEncoding;
Byte="FF D9";
String="Rar!"; Offset=0;
ContentType="image/jpeg";
Reference=url,lifehacker.com/software/encryption/hide-files-in-jpeg-images-207905.php;
Reference=url,schmidt.devlib.org/file-formats/rar-archive-file-format.html;
}
Definition Verb¶
The rules start with a action that indicates what the system should do with the rule. The action verbs are as follows:
| Verb | Operation | Notes |
| Eval | Causes the rule to be evaluated but no action taken. | Only valid when an Set option is used. Used to set a flag that may be used in another signature (allows the rules to maintain state). |
| Alert | Causes the rule to indicate that a match has been found. | Used only to determine if the site may be compromised. |
| Block | Causes the resource to be blocked (end user cannot access) | Useful when using a proxy to control access to the servers; this is not currently used yet. |
Definitions must have a name that is composed of three parts: a category, sub-category, and name. The part are separated by periods (like "category.subcategory.name"). The category and sub-category are important because the user can create exceptions and disable definitions by category or sub-category. Therefore, it is important that you use category names that makes sense; otherwise, the user may disable or enable your definition inadvertently.
In some cases a definition may be created for a specific site-group or rule. It is recommended that the definition be named such it is clear it is site-group or rule specific. Oftentimes, this done by appending an underscore to the category name (e.g. "_Acme.InformationLeak.ConfidentialDocumentFound").
Definition Body¶
The definition is composed of options that are used to make conclusions about the data provided. Below is a list of the various options:
| Option | Required | Value | Example | Description |
| ID | Yes | <integer> | 10012441 | |
| Message | Yes | <string> | ||
| Version | <integer> | 3 | ||
| String | <string> | haxored | Looks for the given String value | |
| Regex | PCRE | /apple/i | Looks for the given Regex (in PCRE format) | |
| Bytes | Bytes | 90 90 90 | Looks for the given bytes | |
| Set | <string> | Sets the given variable (allows rules to maintain state) | ||
| UnSet | <string> | Unsets the given variable (allows rules to maintain state) | ||
| IfSet | <string> | Makes the action dependent upon whether the variable exists | ||
| IfNotSet | <string> | Opposite of above | ||
| Distance | <string> | Sets a maximum depth into the data that the definition will examine (from the | ||
| Offset | <string> | Sets how much data should be skipped from the previous operator | ||
| Depth | <integer> | |||
| Within | <string> | |||
| ByteTest | operation | 4 digits >= 128 (hexadecimal) | Can accept options such as big-endian, little-endian, hexadecimal, absolute-value and can operate on both digits (character representations of a number) or bytes (integer values) | |
| ByteJump | operation | 4 bytes (big-endian, align-8) | Can accept options such as big-endian, little-endian, hexadecimal, absolute-value, octal, align-4 and align-8 and can operate on both digits (character representations of a number) or bytes (integer values) | |
| Reference | <string> | url,threatfactor.com | ||
| BasicEncoding | <string> | Causes the evaluator to skip character set encoding and treat the data as if it is raw bytes (or ASCII encoded) | ||
| IsDataAt | <integer> | |||
| Toggle | <string> | |||
| Severity | <integer> | |||
| ContentType | <string> | |||
| URI | <string> | |||
| IgnoreCase |