signature (user-defined application rule view)

Function

The signature command configures a user-defined application signature.

The undo signature command deletes a user-defined application signature.

Format

signature context { flow | packet } direction { request | response | both } { plain-string plain-string | regular-expression regular-expression } [ field field ]

undo signature

Parameters

Parameter	Description	Value
context	Indicates signature context.	-
flow \| packet	Indicates signature (keyword) matching mode. flow indicates flow-based matching. packet indicates packet-based matching.	-
direction { request \| response \| both }	Indicates signature (keyword) detection direction. request indicates detection on request packets. response indicates detection on response packets. both indicate detection on both request and response packets.	-
plain-string plain-string	Specifies a plain-text string.	The value is a case-sensitive string of 3 to 128 characters. If the keyword contains any space and question mark (?), the value is a string of 5 to 130 characters and must be enclosed with double quotation marks (""), for example, "GET w?". If the keyword contains quotation marks, replace the quotation marks with \x22, for example, to set keyword abc"d, enter abc\x22d.
regular-expression regular-expression	Specifies a regular expression.	The value is a case-sensitive string of 3 to 128 characters. If the regular expression contains any space and question mark (?), the value is a string of 5 to 130 characters and must be enclosed with double quotation marks (""), for example, "GET w?". If the regular expression contains quotation marks, replace the quotation marks with \x22, for example, to set regular expression abc"d, enter abc\x22d.
field	Specifies a protocol field to search for a signature.	When the protocol is TCP and the keyword is a regular expression, the following fields can be searched: General-payload, HTTP.Body, HTTP.Content-Type, HTTP.Cookie, HTTP.Host, HTTP.Method, HTTP.URI, and HTTP.User-Agent. When the protocol is TCP and the keyword is a character string, the General-payload field can be searched. When the protocol is UDP, the General-payload field can be searched.

Views

User-defined application rule view

Default Level

2: Configuration level

Usage Guidelines

You can configure only one signature for each user-defined application rule.

Example

# Configure regular expression GET.ab{3}c for the signature in user-defined application rule rule1, configure flow-based matching mode, and set the detection direction to request.

<sysname> system-view
[sysname] sa
[sysname-sa] user-defined-application name UD_abc
[sysname-sa-user-defined-app-UD_abc] rule name rule1
[sysname-sa-user-defined-app-UD_abc-rule-rule1] protocol tcp
[sysname-sa-user-defined-app-UD_abc-rule-rule1] signature context flow direction request regular-expression GET.ab{3}c field HTTP.Body