Remarks and restrictions

  • Custom patterns are exclusively asq patterns (cf. section Contents of a context-based signature file). It is a simple policy that is meant to activate a security policy and raise the associated alarm.
  • The probe and mix contexts as well as those beginning with http:javascript are not allowed. The command enpattern -l | grep -Ev "(mix|probe)" makes it possible to list usable contexts,

  • Pattern IDs must always be higher than 4096,
  • Any given context accepts a maximum of 2048 signatures,
  • Patterns may not contain more than 256 regular expressions (variants),
  • All contexts that group definitions of custom patterns are grouped in a single file (named in the example).

Context-based signatures may consume a lot of processor resources and memory, especially when the regular expressions that they contain do not impose any limits on the number of characters for a given search.