Remarks and restrictions
- Custom patterns are exclusively asq patterns (cf. section Contents of a context-based signature file). It is a simple policy that is meant to activate a security policy and raise the associated alarm.
-
The probe and mix contexts as well as those beginning with http:javascript are not allowed. The command enpattern -l | grep -Ev "(mix|probe)" makes it possible to list usable contexts,
- Pattern IDs must always be higher than 4096,
- Any given context accepts a maximum of 2048 signatures,
- Patterns may not contain more than 256 regular expressions (variants),
- All contexts that group definitions of custom patterns are grouped in a single file (named CustomPatterns.in in the example).
IMPORTANT
Context-based signatures may consume a lot of processor resources and memory, especially when the regular expressions that they contain do not impose any limits on the number of characters for a given search.