|
|
|
Custom signatures | Creating custom signatures |
Table 4: Content keywords
Keyword and value | Description |
|
|
Use the byte_jump option to extract a number of | |
<bytes_to_convert>, | bytes from a packet, convert them to their numeric |
<offset>[, relative] | representation, and jump the match reference up that |
many bytes (for further pattern matching or byte | |
[, big] [, little] | testing). This keyword allows relative pattern matches |
[, string] [, hex] | to take into account numerical values found in network |
[, dec] [, oct] | data. |
[, align]; | The available keyword options include: |
| • <bytes_to_convert>: The number of bytes to |
| examine from the packet. |
| • <offset>: The number of bytes into the payload to |
| start processing. |
| • relative: Use an offset relative to last pattern |
| match. |
| • big: Process the data as big endian (default). |
| • little: Process the data as little endian. |
| • string: The data is a string in the packet. |
| • hex: The converted string data is represented in |
| hexadecimal notation. |
| • dec: The converted string data is represented in |
| decimal notation. |
| • oct: The converted string data is represented in |
| octal notation. |
| • align: Round up the number of converted bytes to |
| the next |
FortiGate IPS User Guide Version 3.0 MR7 |
|
25 |