Next: , Previous: Overview, Up: Signatures



8.2 Signature language

Each individual signature has the format

signature id { attribute-set }

id is an unique label for the signature. There are two types of attributes: conditions and actions. The conditions define when the signature matches, while the actions declare what to do in the case of a match. Conditions can be further divided into four types: header, content, dependency, and context. We will discuss these in more detail in the following subsections.

This is an example of a signature:

     signature formmail-cve-1999-0172 {
       ip-proto == tcp
       dst-ip == 1.2.0.0/16
       dst-port = 80
       http /.*formmail.*\?.*recipient=[^&]*[;|]/
       event "formmail shell command"
       }