KFSensor

Edit Signature Rule

Use the Edit Signature Rule dialog box to add or change a signature rule.

A signature rule consists of a set of conditions that must be met in order for the rule to be matched. The conditions consist of filters and signatures.

Properties

• ID
  The ID uniquely identifies a rule. The ID may be up to twelve characters long. There are two conventions to rules names; external rules start with a $ and rules from KeyFocus start with a !
• Active
  If a rule is active then it will be checked by the signature engine, otherwise it will be ignored.
• Archive
  An archived rule is one that has been replaced by a newer version of the rule.
• Message
  The message is a piece of text displayed to the user that describes what the rule identified.
• Source Reference
  This is a URL link to more information on a rule.
• Browse button
  This button opens a web browse with the URL specified in the source reference.
• Source Type
  The source type specified the origin of a rule and is used by the signature engine to give priority to rule. The types listed in priority order are:

  Name	Notes
  Hand Coded	The are rules created on the local system and are checked before rules of other types.
  KeyFocus	The are rules supplied by KeyFocus.
  Imported	The are rules that have been imported into KFSensor.
  External	The are rules from an external system that have been converted and imported into KFSensor. These rules are checked after rules of other types.

• Created
  The date and time that the rule was created or imported.
• Edited
  The date and time that the rule was last edited.
• Archived
  The date and time that the rule was archived.

Protocol Filter

Used to restrict a match to a specified protocol.

• Any
  
• TCP
  
• UDP
  

From Filter

Used to restrict a match depending on the visitor's port number.

• Port Range
  The range of port to match. If only the first value is entered then the rule will match a single port.
  If both values are entered the rule will match all ports between the minimum and maximum port inclusive.
• Not From Port
  The will only match ports not specified in the given port range.
• From Server
  This will only match data sent from the KFSensor server and not from the visitor. Rules with this option set do not generate events but are useful for setting the values of flags based on the response or banner sent by KFSensor.

To Filter

Used to restrict a match depending on the KFSensor's server's port number or sim server.

• Port Range
  The range of port to match. If only the first value is entered then the rule will match a single port.
  If both values are entered the rule will match all ports between the minimum and maximum port inclusive.
• Not To Port
  The will only match ports not specified in the given port range.
• Sim Server
  The rule will only match content generated by the specified Sim Server name.
  This can be more useful than a port range if the same service is running on several ports.
  If this value ends with a '*' then it is considered a wild card and will match a sim server name beginning with the specified value.
  E.g. "IIS*" will match "IIS" and "IIS Proxy".

Special

• dsize
  This dsize setting is used to match the payload size of the received data.
• Type
  Only events of the selected sensor type will trigger the rule.
• Sensor Action
  Only events of the selected sensor action will trigger the rule.

Signatures

Each signature rule must contain at least one signature, but can contain many more.
The signatures are checked in order a signature may be dependant on previous signature definitions.

• Add
  Add a new signature using the Add Signature dialog box
• Add Bytes
  Add a bytes signature using the Add Bytes Signature dialog box
• Edit
  Edit the selected signature using the Edit Signature or the Edit Bytes Signature dialog boxes
• Delete
  Delete the selected signature
• Move Up
  Move the selected signature up one place in the list
• Move Down
  Move the selected signature down one place in the list

Flags

Flags are used to link the results of one rule to another for the same connection. See the Signature Rule Flag dialog box for more details.

• Add
  Add a new flag using the Signature Rule Flag dialog box
• Edit
  the selected flag using the Signature Rule Flag dialog box
• Delete
  Delete the selected flag

Action

When a signature rule is matched by the signature engine it always records the signature rule id in the event log.
It can also perform a number of other actions.

• Severity
  Optionally changes the severity of an event.
  The actual effect of this is controlled by the select Signature Event Severity option in the Configure Signatures dialog box.
• Ignore
  If selected then the event will not be logged
• Lock Out
  If selected the visitor will be locked out in the same way as if the visitor performed a DOS attack.
• No Report
  Rules with this option set will never cause a match. This option is only useful to set the values of flags that can be used in other rules.

Related Topics

• Signature concepts
• Signature Maintenance

KFSensor On-Line Manual Contents