Every signature contains one or more rules written in ANSI Tool Command Language (TCL) syntax. Each rule contains mandatory and optional sections, with one section per line. Optional sections vary according to the operating system and the class of the rule. Each section defines a rule category and its value. One section always identifies the class of the rule, which defines the rule’s overall behavior.
The basic structure of a rule is:
Rule {
SectionA value
SectionB value
SectionC value
...
}
|
Do not include white space from blanks, tabbing, or indenting at the beginning or end of a line. All section names and values are case sensitive. |
A rule to prevent a request to the web server that has “subject” in the HTTP request query has this format:
Rule {
Class Isapi
Id 4001
level 4
query { Include “*subject*” }
method { Include “GET” }
time { Include “*” }
application { Include “*”}
user_name { Include “*” }
directives -c -d isapi:request
}
See Windows custom signatures for an explanation of the various sections and values.