Signature definition notes

We recommend you use lower case, although keywords in a signature are not case-sensitive.
If your signature doesn't include keyword or value pairs for --attack_id, a value is automatically assigned. To avoid duplication, it is recommended that you allow the automatic assigning of values to --attack_id. The range of values for --attack_id is 1000 to 9999 (inclusive).
To match patterns using --pattern, you must enclose the pattern in double quotation marks (") and follow it with a semicolon. The special characters (" ; \ | :) must be written as (|22|, |3B| or |3b|, |5C| or |5c|, |7C| or |7c|, |3A| or |3a|). Although you can use backslash (\) to escape any character except a semicolon (;), we do not recommend this.
To match patterns using --pcre, you must enclose the pattern in double quotation marks (") and follow it with a semicolon (;). The special characters (" ; /) must be written as (\x22, \x3B or \x3b, \x2F or \x2f). Regular expressions should conform to the Perl Compatible Regular Expression (PCRE) standard. See pcre for syntax details.
PCRE matching is the least efficient engine matching algorithm, and it can easily cause performance issues that are difficult to identify through testing.
To detect line endings (for example, when scanning HTTP headers), use “|0A|”, not “|0D 0A|”.
Use as long a pattern as possible with a range limit. Searching for short patterns, with a length less than four, is inefficient for the engine's matching algorithm.
If some encoded content is always the same, you can make a signature to match the encoded form. This allows for detection of the encoded content, even though the engine does not support decoding.
Do not use the no_case option on a non-alphabetic pattern.
Do not use the no_case option on case-sensitive patterns.
Some programming languages are case-sensitive, like C, perl, php, etc. Parameters passed to these programs should not use no_case.

We recommend you use lower case, although keywords in a signature are not case-sensitive.

If your signature doesn't include keyword or value pairs for --attack_id, a value is automatically assigned. To avoid duplication, it is recommended that you allow the automatic assigning of values to --attack_id. The range of values for --attack_id is 1000 to 9999 (inclusive).

To match patterns using --pattern, you must enclose the pattern in double quotation marks (") and follow it with a semicolon. The special characters (" ; \ | :) must be written as (|22|, |3B| or |3b|, |5C| or |5c|, |7C| or |7c|, |3A| or |3a|). Although you can use backslash (\) to escape any character except a semicolon (;), we do not recommend this.

To match patterns using --pcre, you must enclose the pattern in double quotation marks (") and follow it with a semicolon (;). The special characters (" ; /) must be written as (\x22, \x3B or \x3b, \x2F or \x2f). Regular expressions should conform to the Perl Compatible Regular Expression (PCRE) standard. See pcre for syntax details.

PCRE matching is the least efficient engine matching algorithm, and it can easily cause performance issues that are difficult to identify through testing.

To detect line endings (for example, when scanning HTTP headers), use “|0A|”, not “|0D 0A|”.

Use as long a pattern as possible with a range limit. Searching for short patterns, with a length less than four, is inefficient for the engine's matching algorithm.

If some encoded content is always the same, you can make a signature to match the encoded form. This allows for detection of the encoded content, even though the engine does not support decoding.

Do not use the no_case option on a non-alphabetic pattern.

Do not use the no_case option on case-sensitive patterns.

Some programming languages are case-sensitive, like C, perl, php, etc. Parameters passed to these programs should not use no_case.

Custom IPS and Application Control Signature Syntax Guide

Signature definition notes

Signature definition notes

Signature definition notes