Defining a pattern that uses only mandatory fields

On the development workstation:

  1. Create a file named CustomPatterns.in,
  2. Edit this file and insert the section "[tcpudp:hostname.global]" containing the revision number of the pattern, followed by the section "[tcpudp:hostname.4101]" including the mandatory parameters:

[tcpudp:hostname.global]

Revision=1

[tcpudp:hostname.4101]

type=asq

classification=1

action_fw=pass,pass,block,block

level_fw=minor,minor,major,major

description="Access to perdu.org site"

ldescr="This custom signature is able to detect when a computer tries to connect to the website perdu.org"

1="^(.+\.)?(?i)perdu\.org(?-i)$"

  1. Insert as many "[identifier.context]" sections as the number of custom patterns you wish to define in the context in question (maximum 2048 patterns per context).

Meanings of the various fields in this example

Field Revision

The revision number of the custom patterns in the tcpudp:hostname context is 1.

Field type

The pattern must be an asq pattern: it is supposed to activate a security policy and raise an alarm.

Field classification

The pattern belongs to the Applications category.

Field action_fw

Whenever a connection to the website perdu.org is detected, the action associated with the activated alarm will be:

  • Pass for "Internet" and "Low" predefined security templates,
  • Block for "Medium" and "High" predefined security templates,

Field level_fw

This alarm's level is:

  • Minor for "Internet" and "Low" predefined security templates,
  • Major for "Medium" and "High" predefined security templates,

Field description

The message associated with the pattern and which appears in the web administration interface is "Access to perdu.org site".

Field ldescr

The tooltip that appears when you scroll over the message indicates: "This custom signature is able to detect when a computer tries to connect to the website perdu.org".

Field 1

The regular expression used for detecting connections to perdu.org is:

^(.+\.)?(?i)perdu\.org(?-i)$