Defining a pattern that uses only mandatory fields
On the development workstation:
- Create a file named CustomPatterns.in,
- Edit this file and insert the section "[tcpudp:hostname.global]" containing the revision number of the pattern, followed by the section "[tcpudp:hostname.4101]" including the mandatory parameters:
[tcpudp:hostname.global]
Revision=1
[tcpudp:hostname.4101]
type=asq
classification=1
action_fw=pass,pass,block,block
level_fw=minor,minor,major,major
description="Access to perdu.org site"
ldescr="This custom signature is able to detect when a computer tries to connect to the website perdu.org"
1="^(.+\.)?(?i)perdu\.org(?-i)$"
- Insert as many "[identifier.context]" sections as the number of custom patterns you wish to define in the context in question (maximum 2048 patterns per context).
Meanings of the various fields in this example
Field Revision
The revision number of the custom patterns in the tcpudp:hostname context is 1.
Field type
The pattern must be an asq pattern: it is supposed to activate a security policy and raise an alarm.
Field classification
The pattern belongs to the Applications category.
Field action_fw
Whenever a connection to the website perdu.org is detected, the action associated with the activated alarm will be:
- Pass for "Internet" and "Low" predefined security templates,
- Block for "Medium" and "High" predefined security templates,
Field level_fw
This alarm's level is:
- Minor for "Internet" and "Low" predefined security templates,
- Major for "Medium" and "High" predefined security templates,
Field description
The message associated with the pattern and which appears in the web administration interface is "Access to perdu.org site".
Field ldescr
The tooltip that appears when you scroll over the message indicates: "This custom signature is able to detect when a computer tries to connect to the website perdu.org".
Field 1
The regular expression used for detecting connections to perdu.org is:
^(.+\.)?(?i)perdu\.org(?-i)$