Inspection Engine
Types of signatures

IDS signatures can be classified by how many packets it takes for the sensor to positively identify an alarm condition on the network. The two classifications are atomic signatures and compound signatures. Atomic signatures require only one packet to be inspected to identify an alarm condition. Composite signatures require multiple packets to be inspected to identify an alarm condition. The storage of state information between the multiple packets is required to analyze traffic for compound signatures.

IDS signatures can also be categorized as either info or attack signatures. An info signature detects information-gathering activity, such as a port sweep. An attack signature detects attacks attempted into the protected network, such as denial-of-service attempts or the execution of illegal commands during an FTP session.