Project

General

Profile

Writing Definitions » History » Version 11

Luke Murphey, 04/03/2010 02:10 PM

1 9 Luke Murphey
{{>toc}}
2 9 Luke Murphey
3 4 Luke Murphey
h1. Definitions
4 1 Luke Murphey
5 1 Luke Murphey
h2. Definition Types
6 1 Luke Murphey
7 1 Luke Murphey
NSIA supports two types of definitions:
8 1 Luke Murphey
9 1 Luke Murphey
 * ThreatPattern
10 1 Luke Murphey
 * ThreatScript
11 2 Luke Murphey
12 3 Luke Murphey
|*ThreatScript*                                                       |*ThreatPattern*|
13 2 Luke Murphey
|Written in ECMAScript / JavaScript                                   |Written in a format similar to Snort|
14 2 Luke Murphey
|Somewhat complex to create                                           |Simple and easy to create|
15 4 Luke Murphey
|Can auto-baseline tune itself                                        |Must be ignored completely when it triggers as a false positive|
16 2 Luke Murphey
|Is stateful (remember things from previous scans)                    |Is stateless (cannot remember things from previous scans)|
17 2 Luke Murphey
|Are slower than ThreatSignatures                                     |Are faster than ThreatScripts|
18 1 Luke Murphey
|Very flexible detection logic; can be used to detect nearly anything |Functionality limited to what regular expressions|
19 2 Luke Murphey
20 4 Luke Murphey
h2. Definition IDs
21 1 Luke Murphey
22 2 Luke Murphey
Custom definitions must have an ID of 1000000 or more; only official definitions can have IDs of less than 1000000.
23 1 Luke Murphey
24 4 Luke Murphey
h2. Identifying Definition Errors
25 1 Luke Murphey
26 1 Luke Murphey
NSIA will parse definitions before they are saved in order to identify syntax and some semantic errors. Errors that are discovered during runtime are noted on the definition errors page (e.g. http://127.0.0.1:8080/Definitions/Errors) and in the event logs (e.g. http://127.0.0.1:8080/System/Eventlog).
27 1 Luke Murphey
28 4 Luke Murphey
Note that ThreatScript definitions will be flagged as having an error if they fail to complete within 10 seconds (see ScriptDefinition.MAX_SCRIPT_RUNTIME).
29 1 Luke Murphey
30 11 Luke Murphey
h2. Creating Definitions
31 1 Luke Murphey
32 11 Luke Murphey
See the following for detailed information about creating definitions:
33 2 Luke Murphey
34 11 Luke Murphey
 * [[ThreatPattern Definitions|ThreatPattern Definition]]
35 11 Luke Murphey
 * [[ThreatScript Definitions|ThreatScript Definition]]