Fortinet IPS manual Pcre, Regex/mdelim, RegexdelimismxAEGRU, Uri !uristr, Within withinint

Page 28

Creating custom signatures

Custom signatures

Table 4: Content keywords (Continued)

Keyword and value

Description

 

 

--pcre

Similar to the pattern keyword, pcre is used to

[!]"(/<regex>/m<delim><

specify a pattern using Perl-compatible regular

regex><delim>)[ismxAEGRU

expressions (PCRE). A pcre keyword can be followed

by a context keyword to define where to look for the

B]";

pattern in the packet. If no context keyword is

 

present, the FortiGate unit looks for the pattern

 

anywhere in the packet buffer.

 

For more information about PCRE syntax, go to

 

http://www.pcre.org.

 

The switches include:

 

i: Case insensitive.

 

s: Include newlines in the dot metacharacter.

 

m: By default, the string is treated as one big line of

 

characters. ^ and $ match at the beginning and

 

ending of the string. When m is set, ^ and $ match

 

immediately following or immediately before any

 

newline in the buffer, as well as the very start and

 

very end of the buffer.

 

x: White space data characters in the pattern are

 

ignored except when escaped or inside a character

 

class.

 

A: The pattern must match only at the start of the

 

buffer (same as ^ ).

 

E: Set $ to match only at the end of the subject

 

string. Without E, $ also matches immediately

 

before the final character if it is a newline (but not

 

before any other newlines).

 

G: Invert the "greediness" of the quantifiers so that

 

they are not greedy by default, but become greedy if

 

followed by ?.

 

R: Match relative to the end of the last pattern

 

match. (Similar to distance:0;).

 

U: Deprecated, see the context keyword. Match

 

the decoded URI buffers.

--uri [!]"<uri_str>";

Deprecated, see pattern and context keywords.

 

The FortiGate unit will search for the URI in the packet

 

payload. The URI must be enclosed in double quotes.

 

To have the FortiGate search for a packet that does not

 

contain the specified URI, add an exclamation mark (!)

 

before the URI.

 

Multiple content items can be specified in one rule. The

 

value can contain mixed text and binary data. The

 

binary data is generally enclosed within the pipe ()

 

character.

 

The double quote ("), pipe sign() and colon(:)

 

characters must be escaped using a back slash if

 

specified in a URI string.

 

 

--within <within_int>;

When used with the distance keyword, the FortiGate

 

unit searches for the contents within the specified

 

number of bytes of the payload.

 

The within value must be between 0 and 65535.

FortiGate IPS User Guide Version 3.0 MR7

28

01-30007-0080-20080916

Page 27 Page 29
Image 28
Page 27 Page 29
Contents E R G U I D E Trademarks Contents Protocol decoders IPS sensorsDoS sensors SYN flood attacksIntroduction FortiGate IPSAbout this document Fortinet documentationDocument conventions Typographic conventionsFortiGate Pptp VPN User Guide Fortinet Knowledge Center Customer service and technical supportComments on Fortinet technical documentation IPS settings and controls IPS overview and general configurationThis section contains the following topics When to use IPS Default signature and anomaly settingsDefault fail open setting Config ips global Set fail-open enable disable endSetting the buffer size Configuring logging and alert emailMonitoring the network and dealing with attacks Controlling sessionsAttack log messages Signature Anomaly FortiGuard CenterUsing IPS sensors in a protection profile Creating a protection profile that uses IPS sensorsAdding protection profiles to firewall policies Select Create NewAdding protection profiles to user groups Using IPS sensors in a protection profile IPS predefined signatures Predefined signaturesViewing the predefined signature list Settings EnableColumn Clear All FiltersCreate a sensor and add IPS filters to it Viewing the predefined signature list IPS custom signatures Custom signaturesViewing the custom signature list Custom signature configuration Adding custom signatures using the web-based managerAdding custom signatures using the CLI Command syntax patternCustom signature fields Creating custom signaturesShows the valid characters for custom signature fields Custom signature syntax AttackidName BufferOverflow SrcportContent keywords Keyword and value Description Deprecated, see pattern and context keywords Pattern GET Context uriPattern yahoo.com Context hostPcre Regex/mdelimRegexdelimismxAEGRU Uri !uristrProtocol tcp IP header keywords Keyword and Value DescriptionTCP header keywords Keyword and Value Description Tcpflags AP Tcpflags S,12Icmp keywords Keyword and Value Usage UDP header keywords Keyword and Value DescriptionOther keywords Keyword and Value Description Example custom signatures Example 1 signature to block access to example.comSbid --name Block.example.com Sbid --name Block.example.com Sbid --name Block.SMTP.VRFY.CMD Example 2 signature to block the Smtp ‘vrfy’ commandSbid --name Block.SMTP.VRFY.CMD --pattern vrfy Creating custom signatures Protocol decoders Protocol decodersUpgrading the IPS protocol decoder list Viewing the protocol decoder list Protocol decoder list Protocols Protocol decoder names PortAlldefault AlldefaultpassIPS sensors Viewing the IPS sensor listConfiguring IPS sensors Adding an IPS sensorProtectclient ProtectemailserverIPS sensor attributes IPS sensor filtersConfiguring filters ResetIPS sensor overrides Delete and Edit Delete or edit the filter IconsConfiguring pre-defined and custom overrides ApplicationExempt IP SourceDoS sensors Configuring DoS sensors Viewing the DoS sensor listSequence in which the sensors examine network traffic Appears, and select OKAnomaly configuration DoS sensor attributesName Enter or change the DoS sensor name Comments Will appear in the DoS sensor listUnderstanding the anomalies Anomaly Description Tcpdstsession UdpfloodUdpscan UdpsrcsessionUnderstanding the anomalies SYN flood attacks What is a SYN flood attack?How SYN floods work What is SYN threshold? What is SYN proxy?FortiGate IPS Response to SYN flood attacks How IPS works to prevent SYN floodsIPS operation before synflood threshold is reached Suggested settings for different network conditions Configuring SYN flood protectionConfigure the options for tcpsynflood Select OK What is an Icmp sweep? Icmp sweep attacksHow Icmp sweep attacks work FortiGate IPS response to Icmp sweep attacksPredefined Icmp signatures Icmp sweep anomalies Configuring Icmp sweep protection Index FortiGate Version 3.0 MR7 IPS User GuideTechnical support
Top Page Image Contents