KFSensor

 

Edit Signature

Use the Edit Signature dialog box to add or change a signature definition.

The bytes signature type is handled by the Edit Bytes Signature dialog box.

The Signatures section of the KFSensor Concepts section of the manual describes how signatures are matched in more detail.

Content

The signature content is the text, binary data, or regular expression that needs to be found in an event in order for the signature to be matched. The format of the content is dependant on the selected Match Type.

Match options

  • Match Type
    The Match Type controls how and what the content is matched against.
    Non printable characters need to encoded using inline bracketed hex format.
    For example "[0A]" will match a new line character.
    Regular expressions have their own special format.
    Type Notes
    String The raw data received from the visitor is matched against the signature content using a fast string search algorithm.
    URL In the case of a HTTP request the URL may be encoded in a special format. This is often used to hide specific attack pattern. With this type of signature the content is matched against the decoded or normalized form of the URL. This will only work for events generated by the HTTP Sim Server.
    Reg Ex This type matches the content as a PERL regular expression. For more information on the format and options for PERL regular expressions check out the PCRE web site at http://www.pcre.org
    Decoded Certain service protocols, such as NetBIOS, use a compact binary messages. Where KFSensor can decode these they are recorded in the event in a text format.
    This type of signature matched the decoded text to make rules easier to write.
    For example, an MS SQL Server log in request contains an encoded user name field.
    The signature "User: root" will be match against the decoded message and not the raw data.
    Description This option causes the signature to try and match the Description field of an event. Certain types of event, such as a syn scan, have no content to match, but a description is generated by the system. This can be used to identify those types of event.
  • Not Match
    If selected then the signature will only match if the content is not found.
  • Case Insensitive
    If selected then the content is matched regardless of the text's case.

Range from start

These settings are relative to the start of the event data.
  • Offset
    The offset specifies that a search should only begin the specified number of bytes into the event data.
    For example an offset of 4 would cause the first 4 bytes to be ignored.
  • Depth
    The depth specifies how much of the event data will be searched.
    For example a depth of 100 would mean that data after the 100th byte would be ignored

Range from prev signature

These setting are relative to the end data matched by the previous rule.
  • Distance
    The distance is the number of bytes after the last match that should be ignored before searching the event data
  • Within
    The within is the amount of event data after the last match that will be searched

Buttons

  • Validate
    This button checks whether the signature is valid.
    In the case of a regular expression the content is compiled to check it is valid.

Related Topics


KFSensor On-Line Manual Contents