mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
Fix typos and formatting in the signature framework docs
This commit is contained in:
Daniel Thayer
parent
5a0e3dda7e
commit
f5d6931f00
1 changed files with 30 additions and 26 deletions
|
|
@ -11,21 +11,23 @@ export {
|
|||
redef enum Notice::Type += {
|
||||
## Generic notice type for notice-worthy signature matches.
|
||||
Sensitive_Signature,
|
||||
## Host has triggered many signatures on the same host. The number of
|
||||
## signatures is defined by the
|
||||
## Host has triggered many signatures on the same host. The
|
||||
## number of signatures is defined by the
|
||||
## :bro:id:`Signatures::vert_scan_thresholds` variable.
|
||||
Multiple_Signatures,
|
||||
## Host has triggered the same signature on multiple hosts as defined
|
||||
## by the :bro:id:`Signatures::horiz_scan_thresholds` variable.
|
||||
## Host has triggered the same signature on multiple hosts as
|
||||
## defined by the :bro:id:`Signatures::horiz_scan_thresholds`
|
||||
## variable.
|
||||
Multiple_Sig_Responders,
|
||||
## The same signature has triggered multiple times for a host. The
|
||||
## number of times the signature has been triggered is defined by the
|
||||
## :bro:id:`Signatures::count_thresholds` variable. To generate this
|
||||
## notice, the :bro:enum:`Signatures::SIG_COUNT_PER_RESP` action must
|
||||
## bet set for the signature.
|
||||
## The same signature has triggered multiple times for a host.
|
||||
## The number of times the signature has been triggered is
|
||||
## defined by the :bro:id:`Signatures::count_thresholds`
|
||||
## variable. To generate this notice, the
|
||||
## :bro:enum:`Signatures::SIG_COUNT_PER_RESP` action must be
|
||||
## set for the signature.
|
||||
Count_Signature,
|
||||
## Summarize the number of times a host triggered a signature. The
|
||||
## interval between summaries is defined by the
|
||||
## Summarize the number of times a host triggered a signature.
|
||||
## The interval between summaries is defined by the
|
||||
## :bro:id:`Signatures::summary_interval` variable.
|
||||
Signature_Summary,
|
||||
};
|
||||
|
|
@ -37,11 +39,12 @@ export {
|
|||
## All of them write the signature record to the logging stream unless
|
||||
## declared otherwise.
|
||||
type Action: enum {
|
||||
## Ignore this signature completely (even for scan detection). Don't
|
||||
## write to the signatures logging stream.
|
||||
## Ignore this signature completely (even for scan detection).
|
||||
## Don't write to the signatures logging stream.
|
||||
SIG_IGNORE,
|
||||
## Process through the various aggregate techniques, but don't report
|
||||
## individually and don't write to the signatures logging stream.
|
||||
## Process through the various aggregate techniques, but don't
|
||||
## report individually and don't write to the signatures logging
|
||||
## stream.
|
||||
SIG_QUIET,
|
||||
## Generate a notice.
|
||||
SIG_LOG,
|
||||
|
|
@ -64,20 +67,21 @@ export {
|
|||
|
||||
## The record type which contains the column fields of the signature log.
|
||||
type Info: record {
|
||||
## The network time at which a signature matching type of event to
|
||||
## be logged has occurred.
|
||||
## The network time at which a signature matching type of event
|
||||
## to be logged has occurred.
|
||||
ts: time &log;
|
||||
## The host which triggered the signature match event.
|
||||
src_addr: addr &log &optional;
|
||||
## The host port on which the signature-matching activity occurred.
|
||||
## The host port on which the signature-matching activity
|
||||
## occurred.
|
||||
src_port: port &log &optional;
|
||||
## The destination host which was sent the payload that triggered the
|
||||
## signature match.
|
||||
## The destination host which was sent the payload that
|
||||
## triggered the signature match.
|
||||
dst_addr: addr &log &optional;
|
||||
## The destination host port which was sent the payload that triggered
|
||||
## the signature match.
|
||||
## The destination host port which was sent the payload that
|
||||
## triggered the signature match.
|
||||
dst_port: port &log &optional;
|
||||
## Notice associated with signature event
|
||||
## Notice associated with signature event.
|
||||
note: Notice::Type &log;
|
||||
## The name of the signature that matched.
|
||||
sig_id: string &log &optional;
|
||||
|
|
@ -103,8 +107,8 @@ export {
|
|||
## different responders has reached one of the thresholds.
|
||||
const horiz_scan_thresholds = { 5, 10, 50, 100, 500, 1000 } &redef;
|
||||
|
||||
## Generate a notice if, for a pair [orig, resp], the number of different
|
||||
## signature matches has reached one of the thresholds.
|
||||
## Generate a notice if, for a pair [orig, resp], the number of
|
||||
## different signature matches has reached one of the thresholds.
|
||||
const vert_scan_thresholds = { 5, 10, 50, 100, 500, 1000 } &redef;
|
||||
|
||||
## Generate a notice if a :bro:enum:`Signatures::SIG_COUNT_PER_RESP`
|
||||
|
|
@ -112,7 +116,7 @@ export {
|
|||
const count_thresholds = { 5, 10, 50, 100, 500, 1000, 10000, 1000000, } &redef;
|
||||
|
||||
## The interval between when :bro:enum:`Signatures::Signature_Summary`
|
||||
## notice are generated.
|
||||
## notices are generated.
|
||||
const summary_interval = 1 day &redef;
|
||||
|
||||
## This event can be handled to access/alter data about to be logged
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue