Writing Definitions » History » Version 5
Version 4 (Luke Murphey, 04/02/2010 07:53 PM) → Version 5/14 (Luke Murphey, 04/02/2010 08:24 PM)
h1. Definitions
h2. Definition Types
NSIA supports two types of definitions:
* ThreatPattern
* ThreatScript
|*ThreatScript* |*ThreatPattern*|
|Written in ECMAScript / JavaScript |Written in a format similar to Snort|
|Somewhat complex to create |Simple and easy to create|
|Can auto-baseline tune itself |Must be ignored completely when it triggers as a false positive|
|Is stateful (remember things from previous scans) |Is stateless (cannot remember things from previous scans)|
|Are slower than ThreatSignatures |Are faster than ThreatScripts|
|Very flexible detection logic; can be used to detect nearly anything |Functionality limited to what regular expressions|
h2. Definition IDs
Custom definitions must have an ID of 1000000 or more; only official definitions can have IDs of less than 1000000.
h2. Identifying Definition Errors
NSIA will parse definitions before they are saved in order to identify syntax and some semantic errors. Errors that are discovered during runtime are noted on the definition errors page (e.g. http://127.0.0.1:8080/Definitions/Errors) and in the event logs (e.g. http://127.0.0.1:8080/System/Eventlog).
Note that ThreatScript definitions will be flagged as having an error if they fail to complete within 10 seconds (see ScriptDefinition.MAX_SCRIPT_RUNTIME).
h2. Creating a ThreatPattern
ThreatPattern's similar in concept to the signatures used by the Snort IDS system. Below is a sample rule:
<pre>
Alert("Abuse.DataHiding.Rar_File_In_Jpeg"){
Message="A JPEG file with a RAR file appended was observed";
Severity="Low";
ID=194;
Version=1;
BasicEncoding;
Byte="FF D9";
String="Rar!"; Offset=0;
ContentType="image/jpeg";
Reference=url,lifehacker.com/software/encryption/hide-files-in-jpeg-images-207905.php;
Reference=url,schmidt.devlib.org/file-formats/rar-archive-file-format.html;
}
</pre>
The rules start with a action that indicates what the system should do with the rule. The action verbs are as follows:
|*Verb*|*Operation* |*Notes*|
|Eval |Causes the rule to be evaluated but no action taken. |Only valid when an Set option is used. Used to set a flag that may be used in another signature (allows the rules to maintain state).|
|Alert |Causes the rule to indicate that a match has been found. |Used only to determine if the site may be compromised.|
|Block |Causes the resource to be blocked (end user cannot access) |Useful when using a proxy to control access to the servers; this is not currently used yet.|
The following is a list of the various options:
|Option |Required |Value |Example|Description|
| ID | Yes | <integer> | 10012441 | |
| Version | | <integer> | 3 | |
| String | | <string> | haxored | Looks for the given String value |
| Regex | | PCRE | /apple/i | Looks for the given Regex (in PCRE format) |
| Bytes | | Bytes | 90 90 90 | Looks for the given bytes |
| Set | | <string> | | Sets the given variable (allows rules to maintain state) |
| UnSet | | <string> | | Unsets the given variable (allows rules to maintain state) |
| IfSet | | <string> | | Makes the action dependent upon whether the variable exists |
| IfNotSet | | <string> | | Opposite of above |
| Distance | | <string> | | Sets a maximum depth into the data that the definition will examine (from the |
| Offset | | <string> | | Sets how much data should be skipped from the previous operator |
| Depth | | | | |
| Within | | <string> | | |
| ByteTest | | operation | relative[20].length(4) > 1000 relative(4, 20) > 1000 | |
| ByteJump | | operation | align(4, 36) | |
| Reference | | <string> | | |
| BasicEncoding | | <string> | | |
servers.|
h2. Creating a ThreatScript
h2. Definition Types
NSIA supports two types of definitions:
* ThreatPattern
* ThreatScript
|*ThreatScript* |*ThreatPattern*|
|Written in ECMAScript / JavaScript |Written in a format similar to Snort|
|Somewhat complex to create |Simple and easy to create|
|Can auto-baseline tune itself |Must be ignored completely when it triggers as a false positive|
|Is stateful (remember things from previous scans) |Is stateless (cannot remember things from previous scans)|
|Are slower than ThreatSignatures |Are faster than ThreatScripts|
|Very flexible detection logic; can be used to detect nearly anything |Functionality limited to what regular expressions|
h2. Definition IDs
Custom definitions must have an ID of 1000000 or more; only official definitions can have IDs of less than 1000000.
h2. Identifying Definition Errors
NSIA will parse definitions before they are saved in order to identify syntax and some semantic errors. Errors that are discovered during runtime are noted on the definition errors page (e.g. http://127.0.0.1:8080/Definitions/Errors) and in the event logs (e.g. http://127.0.0.1:8080/System/Eventlog).
Note that ThreatScript definitions will be flagged as having an error if they fail to complete within 10 seconds (see ScriptDefinition.MAX_SCRIPT_RUNTIME).
h2. Creating a ThreatPattern
ThreatPattern's similar in concept to the signatures used by the Snort IDS system. Below is a sample rule:
<pre>
Alert("Abuse.DataHiding.Rar_File_In_Jpeg"){
Message="A JPEG file with a RAR file appended was observed";
Severity="Low";
ID=194;
Version=1;
BasicEncoding;
Byte="FF D9";
String="Rar!"; Offset=0;
ContentType="image/jpeg";
Reference=url,lifehacker.com/software/encryption/hide-files-in-jpeg-images-207905.php;
Reference=url,schmidt.devlib.org/file-formats/rar-archive-file-format.html;
}
</pre>
The rules start with a action that indicates what the system should do with the rule. The action verbs are as follows:
|*Verb*|*Operation* |*Notes*|
|Eval |Causes the rule to be evaluated but no action taken. |Only valid when an Set option is used. Used to set a flag that may be used in another signature (allows the rules to maintain state).|
|Alert |Causes the rule to indicate that a match has been found. |Used only to determine if the site may be compromised.|
|Block |Causes the resource to be blocked (end user cannot access) |Useful when using a proxy to control access to the servers; this is not currently used yet.|
The following is a list of the various options:
|Option |Required |Value |Example|Description|
| ID | Yes | <integer> | 10012441 | |
| Version | | <integer> | 3 | |
| String | | <string> | haxored | Looks for the given String value |
| Regex | | PCRE | /apple/i | Looks for the given Regex (in PCRE format) |
| Bytes | | Bytes | 90 90 90 | Looks for the given bytes |
| Set | | <string> | | Sets the given variable (allows rules to maintain state) |
| UnSet | | <string> | | Unsets the given variable (allows rules to maintain state) |
| IfSet | | <string> | | Makes the action dependent upon whether the variable exists |
| IfNotSet | | <string> | | Opposite of above |
| Distance | | <string> | | Sets a maximum depth into the data that the definition will examine (from the |
| Offset | | <string> | | Sets how much data should be skipped from the previous operator |
| Depth | | | | |
| Within | | <string> | | |
| ByteTest | | operation | relative[20].length(4) > 1000 relative(4, 20) > 1000 | |
| ByteJump | | operation | align(4, 36) | |
| Reference | | <string> | | |
| BasicEncoding | | <string> | | |
servers.|
h2. Creating a ThreatScript