Signature definition notes
- We recommend you use lower case, although keywords in a signature are not case-sensitive.
- If your signature doesn't include keyword or value pairs for
--attack_id
, a value is automatically assigned. To avoid duplication, it is recommended that you allow the automatic assigning of values to--attack_id
. The range of values for--attack_id
is 1000 to 9999 (inclusive). - To match patterns using
--pattern
, you must enclose the pattern in double quotation marks (") and follow it with a semicolon. The special characters (" ; \ | :) must be written as (|22|, |3B|
or|3b|, |5C|
or|5c|, |7C|
or|7c|, |3A|
or|3a|)
. Although you can use backslash (\) to escape any character except a semicolon (;), we do not recommend this. - To match patterns using
--pcre
, you must enclose the pattern in double quotation marks (") and follow it with a semicolon (;). The special characters (" ; /) must be written as (\x22, \x3B
or\x3b, \x2F
or\x2f
). Regular expressions should conform to the Perl Compatible Regular Expression (PCRE) standard. See pcre for syntax details. - PCRE matching is the least efficient engine matching algorithm, and it can easily cause performance issues that are difficult to identify through testing.
- To detect line endings (for example, when scanning HTTP headers), use “
|0A|
”, not “|0D 0A|
”. - Use as long a pattern as possible with a range limit. Searching for short patterns, with a length less than four, is inefficient for the engine's matching algorithm.
- If some encoded content is always the same, you can make a signature to match the encoded form. This allows for detection of the encoded content, even though the engine does not support decoding.
- Do not use the
no_case
option on a non-alphabetic pattern. - Do not use the
no_case
option on case-sensitive patterns.Some programming languages are case-sensitive, like C, perl, php, etc. Parameters passed to these programs should not use
no_case
.