Detection Engine

Rules form "signatures". Rules in being group.
Modular detection elements are combined to form these signatures
Anomalous activity detection is possible; stealth scans, OS fingerprinting, invalid ICMP codes, etc
Rules system is very flexible, and creation of new rules is relatively simple