Fortinet IPS Custom signature syntax, Attackid, Name BufferOverflow, Srcport, Flow bidirection

Page 24

Creating custom signatures

Custom signatures

Custom signature syntax

Table 2: Information keywords

Keyword and value

Description

 

 

 

--attack_id <id_int>;

This optional value is used to identify the signature. It

 

cannot be the same value as any other custom rules within

 

the same VDOM. If an attack ID is not specified, the

 

FortiGate automatically assigns an attack ID to the

 

signature.

 

An attack ID you assign must be between 1000 and 9999.

 

Example:

 

 

--attack_id 1234;

--name <name_str>;

Enter the name of the rule. A rule name must be unique

 

within the same VDOM.

 

The name you assign must be a string greater than 0 and

 

less than 64 characters in length.

 

Example:

 

 

---name "Buffer_Overflow";

Table 3: Session keywords

 

 

 

 

 

 

 

Keyword and value

 

 

Description

 

 

 

 

--flow {from_client

 

 

Specify the traffic direction and state to be inspected.

from_server

 

 

They can be used for all IP traffic.

bi_direction };

 

 

Example:

 

 

 

--src_port 41523;

 

 

 

--flow bi_direction;

 

 

 

The signature checks traffic to and from port 41523.

 

 

 

Previous FortiOS versions used to_client and

 

 

 

to_server values. These are now deprecated, but

 

 

 

still function for backwards compatibility.

--service {HTTP TELNET

 

Specify the protocol type to be inspected.

FTP DNS SMTP POP3

 

This keyword allows you to specify the traffic type by

IMAP SNMP RADIUS

 

protocol rather than by port. If the decoder has the

LDAP MSSQL RPC SIP

 

capability to identify the protocol on any port, the

 

signature can be used to detect the attack no matter

H323 NBSS DCERPC

 

what port the service is running on. Currently, HTTP,

SSH SSL};

 

 

SIP, SSL, and SSH protocols can be identified on any

 

 

 

port based on the content.

 

FortiGate IPS User Guide Version 3.0 MR7

24

01-30007-0080-20080916

Page 23 Page 25
Image 24
Page 23 Page 25
Contents E R G U I D E Trademarks Contents Protocol decoders IPS sensorsDoS sensors SYN flood attacksIntroduction FortiGate IPSAbout this document Fortinet documentationDocument conventions Typographic conventionsFortiGate Pptp VPN User Guide Customer service and technical support Fortinet Knowledge CenterComments on Fortinet technical documentation IPS overview and general configuration IPS settings and controlsThis section contains the following topics When to use IPS Default signature and anomaly settingsDefault fail open setting Config ips global Set fail-open enable disable endSetting the buffer size Configuring logging and alert emailMonitoring the network and dealing with attacks Controlling sessionsAttack log messages Signature Anomaly FortiGuard CenterUsing IPS sensors in a protection profile Creating a protection profile that uses IPS sensorsAdding protection profiles to firewall policies Select Create NewAdding protection profiles to user groups Using IPS sensors in a protection profile Predefined signatures IPS predefined signaturesViewing the predefined signature list Settings EnableColumn Clear All FiltersCreate a sensor and add IPS filters to it Viewing the predefined signature list Custom signatures IPS custom signaturesViewing the custom signature list Custom signature configuration Adding custom signatures using the web-based managerAdding custom signatures using the CLI Command syntax patternCreating custom signatures Custom signature fieldsShows the valid characters for custom signature fields Custom signature syntax AttackidName BufferOverflow SrcportContent keywords Keyword and value Description Deprecated, see pattern and context keywords Pattern GET Context uriPattern yahoo.com Context hostPcre Regex/mdelimRegexdelimismxAEGRU Uri !uristrProtocol tcp IP header keywords Keyword and Value DescriptionTCP header keywords Keyword and Value Description Tcpflags AP Tcpflags S,12UDP header keywords Keyword and Value Description Icmp keywords Keyword and Value UsageOther keywords Keyword and Value Description Example 1 signature to block access to example.com Example custom signaturesSbid --name Block.example.com Sbid --name Block.example.com Example 2 signature to block the Smtp ‘vrfy’ command Sbid --name Block.SMTP.VRFY.CMDSbid --name Block.SMTP.VRFY.CMD --pattern vrfy Creating custom signatures Protocol decoders Protocol decodersUpgrading the IPS protocol decoder list Viewing the protocol decoder list Protocol decoder list Protocols Protocol decoder names PortAlldefault AlldefaultpassIPS sensors Viewing the IPS sensor listConfiguring IPS sensors Adding an IPS sensorProtectclient ProtectemailserverIPS sensor attributes IPS sensor filtersConfiguring filters ResetIPS sensor overrides Delete and Edit Delete or edit the filter IconsConfiguring pre-defined and custom overrides ApplicationExempt IP SourceDoS sensors Configuring DoS sensors Viewing the DoS sensor listSequence in which the sensors examine network traffic Appears, and select OKAnomaly configuration DoS sensor attributesName Enter or change the DoS sensor name Comments Will appear in the DoS sensor listUnderstanding the anomalies Anomaly Description Tcpdstsession UdpfloodUdpscan UdpsrcsessionUnderstanding the anomalies What is a SYN flood attack? SYN flood attacksHow SYN floods work What is SYN threshold? What is SYN proxy?FortiGate IPS Response to SYN flood attacks How IPS works to prevent SYN floodsIPS operation before synflood threshold is reached Configuring SYN flood protection Suggested settings for different network conditionsConfigure the options for tcpsynflood Select OK What is an Icmp sweep? Icmp sweep attacksHow Icmp sweep attacks work FortiGate IPS response to Icmp sweep attacksPredefined Icmp signatures Icmp sweep anomalies Configuring Icmp sweep protection Index FortiGate Version 3.0 MR7 IPS User GuideTechnical support
Top Page Image Contents