Contents of a context-based signature file
The most basic structure of the file defining custom context-based signatures is as follows:
- A "[global.context]" section, that is unique for each context, in which the revision number of signatures is specified:
| Field name | Description | Possible values (meaning) |
| Revision= | Revision number of signatures. |
Full value.
Example 1.2, etc. |
- For every custom context-based pattern, there is a "[identifier.context]" section that contains all the following mandatory fields (the fields in the section can be in any order):
| Field name | Description | Possible values (meaning) |
| type= | Specifies the pattern's scope of application | asq |
| classification= |
Category of the pattern.
In the web administration interface (Applications and protections > Display by inspection profile module), this field makes it possible to:
|
0 (Protections) 1 (Applications) 2 (Malware)
|
| action_fw= |
Action applied by the alarm associated with the custom pattern.
This field is made up of 4 values, separated by commas, without spaces, corresponding to 4 predefined security templates: Internet, Low, Medium and High. |
pass block
Example pass,pass,pass,pass pass,pass,block,block |
| level_fw= |
Level assigned to the associated alarm.
This field is made up of 4 values, separated by commas, without spaces, corresponding to 4 predefined security templates: Internet, Low, Medium and High. |
ignore minor major
Example ignore,minor,major,major major,major,major,major |
| description= | Short description of the pattern written in English. It appears in Message column of the Applications and protections module. |
Customized text surrounded by quotation marks.
Example "Access to perdu.org site" |
| ldescr= | Additional information about the signature, expressed in English. It is displayed in a tool tip, when scrolling the mouse over the description of the alarm (Message column in the Applications and protection module). |
Customized text surrounded by quotation marks.
Example "This custom signature is able to detect when a computer tries to connect to the website perdu.org" |
| 1= | First regular expression used in the pattern. | Regular expression surrounded by quotation marks |
This section may also contain the following optional fields:
| Field name | Description | Possible values (meaning) |
| severity= | Level of severity assigned to the threat detected by the custom pattern. |
0 (Information) 1 (Low) 2 (Moderate) 3 (High) 4 (Critical) |
| resource= | This field allows assigning the icon of the relevant application to the pattern. This icon appears to the right of the classification icon. |
Customized text
Example Googleplus |
| description_fr= | Short description of the pattern written in French. It appears in Message column of the Applications and protections module. |
Customized text surrounded by quotation marks.
Example "Accès au site perdu.org" |
| ldescr_fr | Additional information about the signature, expressed in French. It is displayed in a tool tip, when scrolling the mouse over the description of the alarm (Message column in the Applications and protection module). |
Customized text surrounded by quotation marks.
Example "Cette signature personnalisée est capable de détecter lorsqu'un poste tente d’accéder au site perdu.org" |
| reference= | For custom pattens, this field is for reference only. In some cases, it completes the description of the pattern in the CustomPatterns.in file. |
url,http://www.xxx.yz
Example url,http://documentation.stormshield.eu |
|
2= 3= 4= etc. |
Additional regular expressions (variants). When several variants have been defined, their IDs must be consecutive. Example of an invalid list of variants: 1="blue" 3="red" 4="green" 6="yellow" |
Regular expression surrounded by quotation marks |
| Fromasqversion= | Lowest version of SNS firmware needed in order to manage the pattern. |
Version number.
Example 1.0.0 |
| Uptoasqversion= | Highest version of SNS firmware needed in order to manage the pattern. |
Version number.
Example 8.0.0 |