Project

General

Profile

History

Start Here » User Guide »

Writing Definitions » History » Version 4

« Previous - Version 4/14 (diff) - Next » - Current version
Luke Murphey, 04/02/2010 07:53 PM

Definitions

Definition Types

NSIA supports two types of definitions:

  • ThreatPattern
  • ThreatScript
ThreatScript ThreatPattern
Written in ECMAScript / JavaScript Written in a format similar to Snort
Somewhat complex to create Simple and easy to create
Can auto-baseline tune itself Must be ignored completely when it triggers as a false positive
Is stateful (remember things from previous scans) Is stateless (cannot remember things from previous scans)
Are slower than ThreatSignatures Are faster than ThreatScripts
Very flexible detection logic; can be used to detect nearly anything Functionality limited to what regular expressions

Definition IDs

Custom definitions must have an ID of 1000000 or more; only official definitions can have IDs of less than 1000000.

Identifying Definition Errors

NSIA will parse definitions before they are saved in order to identify syntax and some semantic errors. Errors that are discovered during runtime are noted on the definition errors page (e.g. http://127.0.0.1:8080/Definitions/Errors) and in the event logs (e.g. http://127.0.0.1:8080/System/Eventlog).

Note that ThreatScript definitions will be flagged as having an error if they fail to complete within 10 seconds (see ScriptDefinition.MAX_SCRIPT_RUNTIME).

Creating a ThreatPattern

Alert("Abuse.DataHiding.Rar_File_In_Jpeg"){
        Message="A JPEG file with a RAR file appended was observed";
        Severity="Low";
        ID=194;
        Version=1;
        BasicEncoding;
        Byte="FF D9";
        String="Rar!"; Offset=0;
        ContentType="image/jpeg";
        Reference=url,lifehacker.com/software/encryption/hide-files-in-jpeg-images-207905.php;
        Reference=url,schmidt.devlib.org/file-formats/rar-archive-file-format.html;
}
Verb Operation Notes
Eval Causes the rule to be evaluated but no action taken. Only valid when an Set option is used. Used to set a flag that may be used in another signature (allows the rules to maintain state).
Alert Causes the rule to indicate that a match has been found. Used only to determine if the site may be compromised.
Block Causes the resource to be blocked (end user cannot access) Useful when using a proxy to control access to the servers.

Creating a ThreatScript