The following parameter allows to specify a template against which the IPS will scan the packet payload:
.pattern[!]="string";
HEX data should be specified using "|" symbol, for example: |05 00 27|.
To specify special symbols, use the notations provided in the following table:
|
Symbol |
HEX notation |
|---|---|
|
" |
|22|. |
|
; |
|3B| or |3b|. |
|
\ |
|5C| or |5c|. |
|
| |
|7C| or |7c|. |
|
: |
|3A| or |3a|. |
In addition to the = operator, the != operator can also be used. If the latter operator is specified, it will search for packets which do not contain a specified template.
The parameter has the following general format:
.pattern[!]="string"; [.where=<MODE>;] [.no_case;] [.distance=<RANGE>[,<MODE>];] [.within=<RANGE>[,<MODE>];] [.service=<MODE>;]
Search area modifiers (.where, .no_case, .distance, .within, .service) will be detailed later.
When writing a signature a number of .pattern parameters can be used to reduce the number of false positives.