Project

General

Profile

Writing Definitions » History » Version 3

Luke Murphey, 04/02/2010 07:46 PM

1 1 Luke Murphey
h1. Writing Definitions
2 1 Luke Murphey
3 1 Luke Murphey
h2. Definition Types
4 1 Luke Murphey
5 1 Luke Murphey
NSIA supports two types of definitions:
6 1 Luke Murphey
7 1 Luke Murphey
 * ThreatPattern
8 1 Luke Murphey
 * ThreatScript
9 2 Luke Murphey
10 3 Luke Murphey
|*ThreatScript*                                                       |*ThreatPattern*|
11 2 Luke Murphey
|Written in ECMAScript / JavaScript                                   |Written in a format similar to Snort|
12 2 Luke Murphey
|Somewhat complex to create                                           |Simple and easy to create|
13 2 Luke Murphey
|Can auto-baseline tune itself                                        |Cannot baseline itself (can only be disabled entirely)|
14 2 Luke Murphey
|Is stateful (remember things from previous scans)                    |Is stateless (cannot remember things from previous scans)|
15 2 Luke Murphey
|Are slower than ThreatSignatures                                     |Are faster than ThreatScripts|
16 2 Luke Murphey
|Very flexible detection logic; can be used to detect nearly anything |Functionality limited to what regular expressions|
17 2 Luke Murphey
18 2 Luke Murphey
19 2 Luke Murphey
h2. General Notes Before You Start
20 2 Luke Murphey
21 2 Luke Murphey
h3. Definition IDs
22 2 Luke Murphey
23 2 Luke Murphey
Custom definitions must have an ID of 1000000 or more; only official definitions can have IDs of less than 1000000.
24 2 Luke Murphey
25 2 Luke Murphey
h3. Identifying Definition Errors
26 2 Luke Murphey
27 2 Luke Murphey
NSIA will parse definitions before they are saved in order to identify syntax and some semantic errors. Errors that are discovered during runtime are noted on the definition errors page (e.g. http://127.0.0.1:8080/Definitions/Errors) and in the event logs (e.g. http://127.0.0.1:8080/System/Eventlog).
28 2 Luke Murphey
29 2 Luke Murphey
ThreatScript definitions may be flagged as having an error if they fail to complete within 10 seconds (see ScriptDefinition.MAX_SCRIPT_RUNTIME).
30 2 Luke Murphey
31 2 Luke Murphey
32 2 Luke Murphey
33 2 Luke Murphey
34 2 Luke Murphey
35 2 Luke Murphey
Creating a ThreatSignature
36 2 Luke Murphey
37 2 Luke Murphey
38 2 Luke Murphey
39 2 Luke Murphey
Creating a ThreatScript