Before we begin
Product concerned: SNS 3 and higher versions
Last update: July 2017
Custom context-based protection signatures (patterns) are to be analyzed by the firewall for applications developed in-house or in addition to signatures developed by Stormshield.
These patterns are based on regular expressions (known as "variants") that make it possible to locate character strings in the data contained in exchanged network packets. The associated alarms can then block or allow the traffic detected, depending on the settings defined in the custom pattern (which can be subsequently modified on each firewall in the Configuration > Application protection > Applications and protections module).
The example illustrated in this technical note consists of detecting the string "perdu.org" in a TCP or UDP request and automatically deploying this signature in a pool of firewalls. It involves four categories of equipment: a workstation for development, an acceptance testing firewall for custom context-based protection signatures, an Active Update server for the automatic distribution of signatures, and client firewalls.
Even though the file that defines custom signatures can be written directly on the acceptance testing firewall, one of the advantages of the development workstation is the availability of many tools for validating regular expressions, which can be found online or installed locally.
Further on in this document, custom context-based protection signatures will be referred to as custom patterns.
Take note that custom patterns may reveal information that is ordinarily hidden in the firewall's logs.