AWriting Custom Signatures
This section describes the structure of custom signatures and provides information on how to write custom signatures for the various client platforms. Topics include:
Rule Structure
Windows Custom Signatures
Solaris Custom Signatures
Linux Custom Signatures
Rule Structure
Every signature contains one or more rules written in ANSI Tool Command Language (TCL) syntax. Each rule contains mandatory and optional sections, with one section per line. Optional sections vary according to the operating system and the class of the rule. Each section defines a rule category and its value. One section always identifies the class of the rule, which defines the rule’s overall behavior.
The basic structure of a rule is the following:
Rule {
SectionA value
SectionB value
SectionC value
...
}
Be sure to review the rules for writing strings and escape sequences in TCL before attempting to write custom rules. A quick review of any standard reference on TCL should ensure that you enter proper values correctly.