OpenSignatures syntax
The Network Security appliance supports syntax options for custom OpenSignatures rules.
A typical signature uses the following pattern:
<alert | log | drop | pass | reject> <protocol> <source ip> <port> < direction '->' '<-' '<>' ><destination ip> <port>(sid:<unique numeric identifier>;msg:"message to be displayed";content:"<content to match>"; other acceptable tokens <?> <?>)
Note: OpenSignatures must include the following fields: sid,
msg, and content. OpenSignatures require the
content field to function properly. If the OpenSignature rule is improperly
formatted, you might receive a PAM configuration error response.
For OpenSignature guidance and examples, see the Signature Author's Guide in the OpenSignature setup and rule creation technote at: http://www-01.ibm.com/support/docview.wss?uid=swg21981030
Options | Syntax |
---|---|
<action> |
Restriction: The following actions are not supported:
|
<protocol> | tcp, udp, icmp, ip |
<IP and netmask> |
|
The negation operator | ! Example: alert tcp !192.168.1.0/24 This option means that an alert prompts
you when anything other than what is indicated with the '!' is
used.
|