Writing Definitions » History » Version 11
Luke Murphey, 04/03/2010 02:10 PM
1 | 9 | Luke Murphey | {{>toc}} |
---|---|---|---|
2 | 9 | Luke Murphey | |
3 | 4 | Luke Murphey | h1. Definitions |
4 | 1 | Luke Murphey | |
5 | 1 | Luke Murphey | h2. Definition Types |
6 | 1 | Luke Murphey | |
7 | 1 | Luke Murphey | NSIA supports two types of definitions: |
8 | 1 | Luke Murphey | |
9 | 1 | Luke Murphey | * ThreatPattern |
10 | 1 | Luke Murphey | * ThreatScript |
11 | 2 | Luke Murphey | |
12 | 3 | Luke Murphey | |*ThreatScript* |*ThreatPattern*| |
13 | 2 | Luke Murphey | |Written in ECMAScript / JavaScript |Written in a format similar to Snort| |
14 | 2 | Luke Murphey | |Somewhat complex to create |Simple and easy to create| |
15 | 4 | Luke Murphey | |Can auto-baseline tune itself |Must be ignored completely when it triggers as a false positive| |
16 | 2 | Luke Murphey | |Is stateful (remember things from previous scans) |Is stateless (cannot remember things from previous scans)| |
17 | 2 | Luke Murphey | |Are slower than ThreatSignatures |Are faster than ThreatScripts| |
18 | 1 | Luke Murphey | |Very flexible detection logic; can be used to detect nearly anything |Functionality limited to what regular expressions| |
19 | 2 | Luke Murphey | |
20 | 4 | Luke Murphey | h2. Definition IDs |
21 | 1 | Luke Murphey | |
22 | 2 | Luke Murphey | Custom definitions must have an ID of 1000000 or more; only official definitions can have IDs of less than 1000000. |
23 | 1 | Luke Murphey | |
24 | 4 | Luke Murphey | h2. Identifying Definition Errors |
25 | 1 | Luke Murphey | |
26 | 1 | Luke Murphey | NSIA will parse definitions before they are saved in order to identify syntax and some semantic errors. Errors that are discovered during runtime are noted on the definition errors page (e.g. http://127.0.0.1:8080/Definitions/Errors) and in the event logs (e.g. http://127.0.0.1:8080/System/Eventlog). |
27 | 1 | Luke Murphey | |
28 | 4 | Luke Murphey | Note that ThreatScript definitions will be flagged as having an error if they fail to complete within 10 seconds (see ScriptDefinition.MAX_SCRIPT_RUNTIME). |
29 | 1 | Luke Murphey | |
30 | 11 | Luke Murphey | h2. Creating Definitions |
31 | 1 | Luke Murphey | |
32 | 11 | Luke Murphey | See the following for detailed information about creating definitions: |
33 | 2 | Luke Murphey | |
34 | 11 | Luke Murphey | * [[ThreatPattern Definitions|ThreatPattern Definition]] |
35 | 11 | Luke Murphey | * [[ThreatScript Definitions|ThreatScript Definition]] |