Writing Definitions » History » Version 13
Version 12 (Luke Murphey, 04/03/2010 02:14 PM) → Version 13/14 (Luke Murphey, 04/23/2010 01:33 PM)
{{>toc}}
h1. Definitions
h2. Definition Types
NSIA supports two types of definitions, see below for a comparison:
|*ThreatScript* |*ThreatPattern*|
|Written in ECMAScript / JavaScript |Written in a format similar to Snort|
|Somewhat complex to create |Simple and easy to create|
|Can auto-baseline tune itself |Must be ignored completely when it triggers as a false positive|
|Is stateful (remember things from previous scans) |Is stateless (cannot remember things from previous scans)|
|Are slower than ThreatSignatures |Are faster than ThreatScripts|
|Very flexible detection logic; can be used to detect nearly anything |Functionality limited to what regular expressions|
h2. Definition IDs
Custom definitions must have an ID of 1000000 or more; only official definitions can have IDs of less than 1000000.
h2. Identifying Definition Errors
NSIA will parse definitions before they are saved in order to identify syntax and some semantic errors. Errors that are discovered during runtime are noted on the definition errors page (e.g. http://127.0.0.1:8080/Definitions/Errors) and in the event logs (e.g. http://127.0.0.1:8080/System/Eventlog).
Note that ThreatScript definitions will be flagged as having an error if they fail to complete within 10 seconds (see ScriptDefinition.MAX_SCRIPT_RUNTIME in source:trunk/src/net/lukemurphey/nsia/scan/ScriptDefinition.java). ScriptDefinition.MAX_SCRIPT_RUNTIME).
h2. Creating Definitions
See the following for detailed information about creating definitions:
* [[ThreatPattern Definitions|ThreatPattern Definition]]
* [[ThreatScript Definitions|ThreatScript Definition]]
h1. Definitions
h2. Definition Types
NSIA supports two types of definitions, see below for a comparison:
|*ThreatScript* |*ThreatPattern*|
|Written in ECMAScript / JavaScript |Written in a format similar to Snort|
|Somewhat complex to create |Simple and easy to create|
|Can auto-baseline tune itself |Must be ignored completely when it triggers as a false positive|
|Is stateful (remember things from previous scans) |Is stateless (cannot remember things from previous scans)|
|Are slower than ThreatSignatures |Are faster than ThreatScripts|
|Very flexible detection logic; can be used to detect nearly anything |Functionality limited to what regular expressions|
h2. Definition IDs
Custom definitions must have an ID of 1000000 or more; only official definitions can have IDs of less than 1000000.
h2. Identifying Definition Errors
NSIA will parse definitions before they are saved in order to identify syntax and some semantic errors. Errors that are discovered during runtime are noted on the definition errors page (e.g. http://127.0.0.1:8080/Definitions/Errors) and in the event logs (e.g. http://127.0.0.1:8080/System/Eventlog).
Note that ThreatScript definitions will be flagged as having an error if they fail to complete within 10 seconds (see ScriptDefinition.MAX_SCRIPT_RUNTIME in source:trunk/src/net/lukemurphey/nsia/scan/ScriptDefinition.java). ScriptDefinition.MAX_SCRIPT_RUNTIME).
h2. Creating Definitions
See the following for detailed information about creating definitions:
* [[ThreatPattern Definitions|ThreatPattern Definition]]
* [[ThreatScript Definitions|ThreatScript Definition]]