Creating custom signatures | Custom signatures |
Table 4: Content keywords (Continued)
Keyword and value | Description | |
|
| |
The FortiGate unit compares a byte field against a | ||
<bytes_to_convert>, | specific value (with operator). This keyword is capable | |
<operator>, <value>, | of testing binary values or converting representative | |
byte strings to their binary equivalent and testing them. | ||
<offset>[, relative] | The available keyword options include: | |
[, big] [, little] | • <bytes_to_convert>: The number of bytes to | |
[, string] [, hex] | ||
compare. | ||
[, dec] [, oct]; | ||
• <operator>: The operation to perform when | ||
| ||
| comparing the value (<,>,=,!,&). | |
| • <value>: The value to compare the converted | |
| value against. | |
| • <offset>: The number of bytes into the payload to | |
| start processing. | |
| • relative: Use an offset relative to last pattern | |
| match. | |
| • big: Process the data as big endian (default). | |
| • little: Process the data as little endian. | |
| • string: The data is a string in the packet. | |
| • hex: The converted string data is represented in | |
| hexadecimal notation. | |
| • dec: The converted string data is represented in | |
| decimal notation. | |
| • oct: The converted string data is represented in | |
| octal notation. | |
| The FortiGate unit looks for the contents within the | |
| specified number of bytes after the starting point | |
| defined by the offset keyword. If no offset is | |
| specified, the offset is assumed to be equal to 0. | |
| If the value of the depth keyword is smaller than the | |
| length of the value of the content keyword, this | |
| signature will never be matched. | |
| The depth must be between 0 and 65535. | |
| The FortiGate unit searches for the contents within the | |
| specified number of bytes relative to the end of the | |
| previously matched contents. If the within keyword is | |
| not specified, continue looking for a match until the end | |
| of the payload. | |
| The distance must be between 0 and 65535. | |
Deprecated, see pattern and context keywords. | ||
[!]"<content_str>"; | The FortiGate unit will search for the content string in | |
| the packet payload. The content string must be | |
| enclosed in double quotes. | |
| To have the FortiGate search for a packet that does not | |
| contain the specified context string, add an exclamation | |
| mark (!) before the content string. | |
| Multiple content items can be specified in one rule. The | |
| value can contain mixed text and binary data. The | |
| binary data is generally enclosed within the pipe () | |
| character. | |
| The double quote ("), pipe sign() and colon(:) | |
| characters must be escaped using a back slash if | |
| specified in a content string. | |
|
|
| FortiGate IPS User Guide Version 3.0 MR7 |
26 |