Each keyword list has built-in conditions that determine if the content triggers a
detection. A
keyword list must meet specified criteria before IMSS
subjects it to a policy.
Expressions are a powerful string-matching tool. Ensure that you are comfortable with
expression syntax before creating expressions. Poorly written expressions can impact
performance.
When creating expressions:
-
Note that IMSS follows the expression formats defined in Perl Compatible Regular Expressions (PCRE). For more information on PCRE, visit http://www.pcre.org/.
-
Refer to the predefined expressions for guidance on how to define valid expressions.
-
Start with simple expressions. Modify the expressions if they are causing false alarms or fine tune them to improve detections.
-
Specify criteria when creating expressions. An expression must meet specified criteria before IMSS subjects it to a policy.