IDS signatures can be classified by how many packets it takes for
the sensor to positively identify an alarm condition on the network. The two
classifications are atomic signatures and compound signatures. Atomic
signatures require only one packet to be inspected to identify an alarm
condition. Composite signatures require multiple packets to be inspected to
identify an alarm condition. The storage of state information between the
multiple packets is required to analyze traffic for compound signatures.
IDS signatures can also be categorized as either info or attack signatures.
An info signature detects information-gathering activity, such as a port sweep.
An attack signature detects attacks attempted into the protected network, such
as denial-of-service attempts or the execution of illegal commands during an
FTP session.