BNF paradigm
Attack :: = attack_name {Signatures
Match
Description}
Attack_name :: =
Signatures :: = Signature Signatures | ε
Signature :: = IP_SIGNATURE | DIR | GET_SIGNATURE |
OPT_SIGATURE | Exp_Signature | Proto | ε
Proto :: = TCP | IP | ICMP | UDP
IP_SIGNATURE :: = (SIP | DIP) ip_addr [/ mask] | ε
IP_ADDR :: =
Mask :: =
Opt_sigature :: = OPT: OPTS | ε
OPTS :: = (OPT |! OPT) OPTS | ε
Opt :: = CWR | ECN | URG | ACK | PUSH | RESET | SYN | FIN | ε
Dir :: = S2D | D2S | ε
Exp_signature :: = Exp_name: EXPS | ε
Exp_name :: = SPORT | DPORT | UDPLEN | TCPLEN | IPLEN |
TCPSEQUENCE | ε
EXPS :: = Exp exps | z
EXP :: =
Exp :: = exp (or | and) exp
Exp :: =! EXP
GET_SIGNATURE :: = matchget
Match :: = SUBSTR MATCH | Z
Substr :: = SUBSTR (matching string, matching start point, matching end point, matching mode)
Matching mode :: = NOCASE | Anamorphosis
Description :: = Alarm Confidence Severity CVE
Alarm :: = @ alarm = Attack code, attack type
Confidence :: =! Confidence =
Severity :: =! Severity =
CVE :: =
