OpenSignatures syntax

The Network Security appliance supports syntax options for custom OpenSignatures rules.

A typical signature uses the following pattern:

<alert | log | drop | pass | reject> <protocol> <source ip> <port> < direction '->' '<-' '<>' ><destination ip> <port>(sid:<unique numeric identifier>;msg:"message to be displayed";content:"<content to match>"; other acceptable tokens <?> <?>)

Note: OpenSignatures must include the following fields: sid, msg, and content. OpenSignatures require the content field to function properly. If the OpenSignature rule is improperly formatted, you might receive a PAM configuration error response.

For OpenSignature guidance and examples, see the Signature Author's Guide in the OpenSignature setup and rule creation technote at: http://www-01.ibm.com/support/docview.wss?uid=swg21981030

Table 1. OpenSignatures syntax.
Note: The Network Security appliance accepts general Snort language syntax.
Options	Syntax
`<action>`	`alert`: Generate an alert that uses the selected alert method, and then log the packet. `drop`: Block and log the packet. `log`: Log the packet. `pass`: Ignore the packet. `reject`: Block the packet, log it, and then send a TCP reset if the protocol is TCP or an ICMP port unreachable message if the protocol is UDP. `sdrop`: Block the packet but do not log it. Restriction: The following actions are not supported: `activate` `dynamic`
`<protocol>`	`tcp, udp, icmp, ip`
`<IP and netmask>`	`single IP address (a.b.c.d)` `range of IP addresses (a.b.c.d-w.x.y.z)` `network address using CIDR notation (a.b.c.0/24)`
The negation operator	`!` Example: `alert tcp !192.168.1.0/24` This option means that an alert prompts you when anything other than what is indicated with the '`!`' is used.