Fortinet IPS Pattern GET, Context uri, Pattern yahoo.com, Context host, Nocase, Context header

Page 27

 

 

 

Custom signatures

Creating custom signatures

Table 4: Content keywords (Continued)

Keyword and value

Description

 

 

--context {uri

Specify the protocol field that the pattern should be

header body host};

looked for. If context is not specified for a pattern, the

FortiGate unit searches for the pattern anywhere in the

 

packet buffer. The available context variables are:

 

uri: Search the pattern in HTTP URI line.

 

header: Search the pattern in HTTP header lines

 

or SMTP/POP3/SMTP control messages.

 

body: Search the pattern in HTTP body or

 

SMTP/POP3/SMTP email body.

 

host: Search the pattern in HTTP HOST line.

 

Example:

 

--pattern "GET "

 

--context uri

 

--pattern "yahoo.com"

 

--context host

 

--no_case

 

--pcre "/DESCRIBE\s+\/\s+RTSP\//i"

 

--context header

--no_case;

The no-case keyword forced the FortiGate unit to

 

perform a case-insensitive pattern match.

--offset <offset_int>;

The FortiGate unit starts looking for the contents the

 

specified number of bytes into the payload. The

 

specified number of bytes is an absolute value in the

 

payload. Follow the offset keyword with the depth

 

keyword to stop looking for a match after a specified

 

number of bytes. If no depth is specified, the FortiGate

 

unit continues looking for a match until the end of the

 

payload.

 

The offset must be between 0 and 65535.

--pattern

The FortiGate unit will search for the specified pattern.

[!]"<pattern_str>";

A pattern keyword normally is followed by a

 

context keyword to define where to look for the

 

pattern in the packet. If a context keyword does not

 

present, the FortiGate unit looks for the pattern

 

anywhere in the packet buffer.

 

To have the FortiGate search for a packet that does not

 

contain the specified URI, add an exclamation mark (!)

 

before the URI.

 

Example:

 

--pattern "/level/"

 

--pattern "E8 D9FF FFFF/bin/sh"

 

--pattern !"20RTSP/"

FortiGate IPS User Guide Version 3.0 MR7

 

01-30007-0080-20080916

27

Page 26 Page 28
Image 27
Page 26 Page 28
Contents E R G U I D E Trademarks Contents SYN flood attacks Protocol decodersIPS sensors DoS sensorsFortiGate IPS IntroductionTypographic conventions About this documentFortinet documentation Document conventionsFortiGate Pptp VPN User Guide Customer service and technical support Fortinet Knowledge CenterComments on Fortinet technical documentation IPS overview and general configuration IPS settings and controlsThis section contains the following topics Config ips global Set fail-open enable disable end When to use IPSDefault signature and anomaly settings Default fail open settingControlling sessions Setting the buffer sizeConfiguring logging and alert email Monitoring the network and dealing with attacksAttack log messages Signature FortiGuard Center AnomalySelect Create New Using IPS sensors in a protection profileCreating a protection profile that uses IPS sensors Adding protection profiles to firewall policiesAdding protection profiles to user groups Using IPS sensors in a protection profile Predefined signatures IPS predefined signaturesViewing the predefined signature list Clear All Filters SettingsEnable ColumnCreate a sensor and add IPS filters to it Viewing the predefined signature list Custom signatures IPS custom signaturesViewing the custom signature list Command syntax pattern Custom signature configurationAdding custom signatures using the web-based manager Adding custom signatures using the CLICreating custom signatures Custom signature fieldsShows the valid characters for custom signature fields Srcport Custom signature syntaxAttackid Name BufferOverflowContent keywords Keyword and value Description Deprecated, see pattern and context keywords Context host Pattern GETContext uri Pattern yahoo.comUri !uristr PcreRegex/mdelim RegexdelimismxAEGRUIP header keywords Keyword and Value Description Protocol tcpTCP header keywords Keyword and Value Description Tcpflags S,12 Tcpflags APUDP header keywords Keyword and Value Description Icmp keywords Keyword and Value UsageOther keywords Keyword and Value Description Example 1 signature to block access to example.com Example custom signaturesSbid --name Block.example.com Sbid --name Block.example.com Example 2 signature to block the Smtp ‘vrfy’ command Sbid --name Block.SMTP.VRFY.CMDSbid --name Block.SMTP.VRFY.CMD --pattern vrfy Creating custom signatures Protocol decoders Protocol decodersUpgrading the IPS protocol decoder list Protocol decoder list Protocols Protocol decoder names Port Viewing the protocol decoder listViewing the IPS sensor list AlldefaultAlldefaultpass IPS sensorsProtectemailserver Configuring IPS sensorsAdding an IPS sensor ProtectclientIPS sensor filters IPS sensor attributesDelete and Edit Delete or edit the filter Icons Configuring filtersReset IPS sensor overridesApplication Configuring pre-defined and custom overridesSource Exempt IPDoS sensors Appears, and select OK Configuring DoS sensorsViewing the DoS sensor list Sequence in which the sensors examine network trafficWill appear in the DoS sensor list Anomaly configurationDoS sensor attributes Name Enter or change the DoS sensor name CommentsUnderstanding the anomalies Udpsrcsession Anomaly Description TcpdstsessionUdpflood UdpscanUnderstanding the anomalies What is a SYN flood attack? SYN flood attacksHow SYN floods work How IPS works to prevent SYN floods What is SYN threshold?What is SYN proxy? FortiGate IPS Response to SYN flood attacksIPS operation before synflood threshold is reached Configuring SYN flood protection Suggested settings for different network conditionsConfigure the options for tcpsynflood Select OK FortiGate IPS response to Icmp sweep attacks What is an Icmp sweep?Icmp sweep attacks How Icmp sweep attacks workPredefined Icmp signatures Icmp sweep anomalies Configuring Icmp sweep protection FortiGate Version 3.0 MR7 IPS User Guide IndexTechnical support
Top Page Image Contents