Each individual signature has the format
signatureid{attribute-set}
id is an unique label for the signature. There are two types of
attributes: conditions and actions. The conditions define
when the signature matches, while the actions declare what to do in the case of a match. Conditions can be further divided into
four types: header, content, dependency, and
context. We will discuss these in more detail in the following
subsections.
This is an example of a signature:
signature formmail-cve-1999-0172 {
ip-proto == tcp
dst-ip == 1.2.0.0/16
dst-port = 80
http /.*formmail.*\?.*recipient=[^&]*[;|]/
event "formmail shell command"
}