You can create three (3) types of custom Intrusion Prevention rules:
A simple signature is a straight pattern match against what’s going on the wire. If you want to look for keywords such as "confidential", "company name" or offensive words in a user’s web traffic, create a custom rule with such a pattern.
This has very limited use, being restricted to just one pattern. This is useful in emergency situations wherein a pattern needs to be pushed to all computers in the network to prevent malware from spreading.
A simple signature pattern could cause a false positive. It might be necessary to check for multiple patterns in one rule.
Custom rules allow you to specify a start and end pattern, and to look for anything in between. You could do the following:
- Check for multiple patterns (all of them)
- Check for multiple patterns (any of them)
- Look for the absence of specified patterns
Only one pattern should be entered per line.
If you select All Patterns Found with "START" as the start pattern and "END" as the end pattern, and then enter "MUST SEE THIS" and "MUST SEE THIS TOO" in the pattern, the rule will match if all patterns are found in the correct order. This means "START" should come first, followed by all of the patterns, and then the "END" pattern.
The rule processor will stop matching after the "END" pattern and will resume if it spots the "START" pattern again.
These are more advanced patterns that could cause performance issues if created without review and approval from Trend Micro. It is not recommended to create your own XML pattern rules.