Fortinet IPS manual Deprecated, see pattern and context keywords

Page 26

Creating custom signatures

Custom signatures

Table 4: Content keywords (Continued)

Keyword and value

Description

 

 

--byte_test

The FortiGate unit compares a byte field against a

<bytes_to_convert>,

specific value (with operator). This keyword is capable

<operator>, <value>,

of testing binary values or converting representative

byte strings to their binary equivalent and testing them.

<offset>[, relative]

The available keyword options include:

[, big] [, little]

<bytes_to_convert>: The number of bytes to

[, string] [, hex]

compare.

[, dec] [, oct];

<operator>: The operation to perform when

 

 

comparing the value (<,>,=,!,&).

 

<value>: The value to compare the converted

 

value against.

 

<offset>: The number of bytes into the payload to

 

start processing.

 

relative: Use an offset relative to last pattern

 

match.

 

big: Process the data as big endian (default).

 

little: Process the data as little endian.

 

string: The data is a string in the packet.

 

hex: The converted string data is represented in

 

hexadecimal notation.

 

dec: The converted string data is represented in

 

decimal notation.

 

oct: The converted string data is represented in

 

octal notation.

--depth <depth_int>;

The FortiGate unit looks for the contents within the

 

specified number of bytes after the starting point

 

defined by the offset keyword. If no offset is

 

specified, the offset is assumed to be equal to 0.

 

If the value of the depth keyword is smaller than the

 

length of the value of the content keyword, this

 

signature will never be matched.

 

The depth must be between 0 and 65535.

--distance <dist_int>;

The FortiGate unit searches for the contents within the

 

specified number of bytes relative to the end of the

 

previously matched contents. If the within keyword is

 

not specified, continue looking for a match until the end

 

of the payload.

 

The distance must be between 0 and 65535.

--content

Deprecated, see pattern and context keywords.

[!]"<content_str>";

The FortiGate unit will search for the content string in

 

the packet payload. The content string must be

 

enclosed in double quotes.

 

To have the FortiGate search for a packet that does not

 

contain the specified context string, add an exclamation

 

mark (!) before the content string.

 

Multiple content items can be specified in one rule. The

 

value can contain mixed text and binary data. The

 

binary data is generally enclosed within the pipe ()

 

character.

 

The double quote ("), pipe sign() and colon(:)

 

characters must be escaped using a back slash if

 

specified in a content string.

 

 

 

FortiGate IPS User Guide Version 3.0 MR7

26

01-30007-0080-20080916

Image 26
Contents E R G U I D E Trademarks Contents DoS sensors Protocol decodersIPS sensors SYN flood attacksIntroduction FortiGate IPSDocument conventions About this documentFortinet documentation Typographic conventionsFortiGate Pptp VPN User Guide Comments on Fortinet technical documentation Customer service and technical supportFortinet Knowledge Center This section contains the following topics IPS overview and general configurationIPS settings and controls Default fail open setting When to use IPSDefault signature and anomaly settings Config ips global Set fail-open enable disable endMonitoring the network and dealing with attacks Setting the buffer sizeConfiguring logging and alert email Controlling sessionsAttack log messages Signature Anomaly FortiGuard CenterAdding protection profiles to firewall policies Using IPS sensors in a protection profileCreating a protection profile that uses IPS sensors Select Create NewAdding protection profiles to user groups Using IPS sensors in a protection profile Viewing the predefined signature list Predefined signaturesIPS predefined signatures Column SettingsEnable Clear All FiltersCreate a sensor and add IPS filters to it Viewing the predefined signature list Viewing the custom signature list Custom signaturesIPS custom signatures Adding custom signatures using the CLI Custom signature configurationAdding custom signatures using the web-based manager Command syntax patternShows the valid characters for custom signature fields Creating custom signaturesCustom signature fields Name BufferOverflow Custom signature syntaxAttackid SrcportContent keywords Keyword and value Description Deprecated, see pattern and context keywords Pattern yahoo.com Pattern GETContext uri Context hostRegexdelimismxAEGRU PcreRegex/mdelim Uri !uristrProtocol tcp IP header keywords Keyword and Value DescriptionTCP header keywords Keyword and Value Description Tcpflags AP Tcpflags S,12Other keywords Keyword and Value Description UDP header keywords Keyword and Value DescriptionIcmp keywords Keyword and Value Usage Sbid --name Block.example.com Example 1 signature to block access to example.comExample custom signatures Sbid --name Block.example.com Sbid --name Block.SMTP.VRFY.CMD --pattern vrfy Example 2 signature to block the Smtp ‘vrfy’ commandSbid --name Block.SMTP.VRFY.CMD Creating custom signatures Upgrading the IPS protocol decoder list Protocol decodersProtocol decoders Viewing the protocol decoder list Protocol decoder list Protocols Protocol decoder names PortIPS sensors AlldefaultAlldefaultpass Viewing the IPS sensor listProtectclient Configuring IPS sensorsAdding an IPS sensor ProtectemailserverIPS sensor attributes IPS sensor filtersIPS sensor overrides Configuring filtersReset Delete and Edit Delete or edit the filter IconsConfiguring pre-defined and custom overrides ApplicationExempt IP SourceDoS sensors Sequence in which the sensors examine network traffic Configuring DoS sensorsViewing the DoS sensor list Appears, and select OKName Enter or change the DoS sensor name Comments Anomaly configurationDoS sensor attributes Will appear in the DoS sensor listUnderstanding the anomalies Udpscan Anomaly Description TcpdstsessionUdpflood UdpsrcsessionUnderstanding the anomalies How SYN floods work What is a SYN flood attack?SYN flood attacks FortiGate IPS Response to SYN flood attacks What is SYN threshold?What is SYN proxy? How IPS works to prevent SYN floodsIPS operation before synflood threshold is reached Configure the options for tcpsynflood Select OK Configuring SYN flood protectionSuggested settings for different network conditions How Icmp sweep attacks work What is an Icmp sweep?Icmp sweep attacks FortiGate IPS response to Icmp sweep attacksPredefined Icmp signatures Icmp sweep anomalies Configuring Icmp sweep protection Index FortiGate Version 3.0 MR7 IPS User GuideTechnical support