| KFSensor |
| About |
| Overview |
| Screen shots |
| Features |
| Enterprise edition |
| Compare editions |
Download trial  |
| Buy KFSensor |
| News |
| Manual |
| Knowledge Base |
| Links |
| Extras |
Factsheet (.pdf)  |
Edit Signature
Use the Edit Signature dialog box to add or change a signature definition.
The bytes signature type is handled by the Edit Bytes Signature dialog box.
The Signatures section of the KFSensor Concepts section of the manual describes how signatures are matched in more detail.
Content
The signature content is the text, binary data, or regular expression that needs to be found in an event in order for the signature to be matched. The format of the content is dependant on the selected Match Type.Match options
- Match Type
The Match Type controls how and what the content is matched against.
Non printable characters need to encoded using inline bracketed hex format.
For example "[0A]" will match a new line character.
Regular expressions have their own special format.Type Notes String The raw data received from the visitor is matched against the signature content using a fast string search algorithm.
URL In the case of a HTTP request the URL may be encoded in a special format. This is often used to hide specific attack pattern. With this type of signature the content is matched against the decoded or normalized form of the URL. This will only work for events generated by the HTTP Sim Server. Reg Ex This type matches the content as a PERL regular expression. For more information on the format and options for PERL regular expressions check out the PCRE web site at http://www.pcre.org Decoded Certain service protocols, such as NetBIOS, use a compact binary messages. Where KFSensor can decode these they are recorded in the event in a text format.
This type of signature matched the decoded text to make rules easier to write.
For example, an MS SQL Server log in request contains an encoded user name field.
The signature "User: root" will be match against the decoded message and not the raw data. - Not Match
If selected then the signature will only match if the content is not found. - Case Insensitive
If selected then the content is matched regardless of the text's case.
Range from start
These settings are relative to the start of the event data.- Offset
The offset specifies that a search should only begin the specified number of bytes into the event data.
For example an offset of 4 would cause the first 4 bytes to be ignored. - Depth
The depth specifies how much of the event data will be searched.
For example a depth of 100 would mean that data after the 100th byte would be ignored
Range from prev signature
These setting are relative to the end data matched by the previous rule.- Distance
The distance is the number of bytes after the last match that should be ignored before searching the event data - Within
The within is the amount of event data after the last match that will be searched
Buttons
- Validate
This button checks whether the signature is valid.
In the case of a regular expression the content is compiled to check it is valid.