signatures: Document custom event

Not sure about the best syntax to use. It's literal brackets, so not quite sure.
zeek · Nov 30, 2023 · f09f9e8 · f09f9e8
1 parent 58bcac3
commit f09f9e8
Showing 1 changed file with 36 additions and 0 deletions.
diff --git a/frameworks/signatures.rst b/frameworks/signatures.rst
@@ -45,6 +45,9 @@ This script contains a default event handler that raises
 :zeek:enum:`Signatures::Sensitive_Signature` :doc:`Notices <notice>`
 (as well as others; see the beginning of the script).
 
+As documented in :ref:`signatures-actions`, it's possible to use a custom
+event instead of :zeek:id:`signature_match`.
+
 As signatures are independent of Zeek's scripts, they are put into
 their own file(s). There are three ways to specify which files contain
 signatures: By using the ``-s`` flag when you invoke Zeek, or by
@@ -258,6 +261,8 @@ matched. The following context conditions are defined:
     state is rejected as an error in the signature since it does not have a
     useful meaning like it does for TCP.
 
+.. _signatures-actions:
+
 Actions
 -------
 
@@ -277,6 +282,37 @@ two actions defined:
     match (this may be empty for signatures without content
     conditions).
 
+``event [event_name] <string>``
+
+    .. versionadded:: 6.2
+
+    The event keyword supports additional syntax to select a different
+    event handler to invoke::
+
+        event [my_signature_match] "Found root!"
+
+    Instead of :zeek:id:`signature_match`, this will raise ``my_signature_match``.
+    The parameters for ``my_signature_match`` are expected to be the same as for
+    :zeek:id:`signature_match`.
+
+    Using an alternative event allows to make the message optional::
+
+      event [found_root]
+
+    In this case, the type of the ``found_root`` handler is.
+
+    .. code-block:: zeek
+
+        event found_root(state: signature_state, data: string)
+
+    It is not possible to mix events with and without the message paramteer.
+
+    .. note::
+
+      Matches for signatures that use custom events will not appear
+      in ``signatures.log``.
+
+
 ``enable <string>``
     Enables the protocol analyzer ``<string>`` for the matching
     connection (``"http"``, ``"ftp"``, etc.). This is used by Zeek's