Fortinet IPS manual Tcpflags AP, Tcpflags S,12

Page 31

 

 

 

Custom signatures

Creating custom signatures

Table 6: TCP header keywords (Continued)

Keyword and Value

Description

 

 

--tcp_flags

Specify the TCP flags to match in a packet.

<FSRPAU120>[!*+]

S: Match the SYN flag.

[,<FSRPAU120>];

A: Match the ACK flag.

 

 

F: Match the FIN flag.

 

R: Match the RST flag.

 

U: Match the URG flag.

 

P: Match the PSH flag.

 

1: Match Reserved bit 1.

 

2: Match Reserved bit 2.

 

0: Match No TCP flags set.

 

+: Match on the specified bits, plus any

 

others.

 

*: Match if any of the specified bits are set.

 

!: Match if the specified bits are not set.

 

The first part if the value (<FSRPAU120>) defines

 

the bits that must present for a successful match.

 

For example:

 

--tcp_flags AP

 

only matches the case where both A and P bits

 

are set.

 

The second part ([,<FSRPAU120>]) is optional,

 

and defines the additional bits that can present

 

for a match. For example:

 

tcp_flags S,12

 

matches the following combinations of flags: S, S

 

and 1, S and 2, S and 1 and 2.

 

The modifiers !, * and + can not be used in the

 

second part.

--window_size

Check for the specified TCP window size.

[!]<window_int>;

You can specify the window size as a

 

hexadecimal or decimal integer. A hexadecimal

 

value must be preceded by 0x.

 

To have the FortiGate search for the absence of

 

the specified window size, add an exclamation

 

mark (!) before the window size.

FortiGate IPS User Guide Version 3.0 MR7

 

01-30007-0080-20080916

31

Image 31
Contents E R G U I D E Trademarks Contents SYN flood attacks Protocol decodersIPS sensors DoS sensorsFortiGate IPS IntroductionTypographic conventions About this documentFortinet documentation Document conventionsFortiGate Pptp VPN User Guide Fortinet Knowledge Center Customer service and technical supportComments on Fortinet technical documentation IPS settings and controls IPS overview and general configurationThis section contains the following topics Config ips global Set fail-open enable disable end When to use IPSDefault signature and anomaly settings Default fail open settingControlling sessions Setting the buffer sizeConfiguring logging and alert email Monitoring the network and dealing with attacksAttack log messages Signature FortiGuard Center AnomalySelect Create New Using IPS sensors in a protection profileCreating a protection profile that uses IPS sensors Adding protection profiles to firewall policiesAdding protection profiles to user groups Using IPS sensors in a protection profile IPS predefined signatures Predefined signaturesViewing the predefined signature list Clear All Filters SettingsEnable ColumnCreate a sensor and add IPS filters to it Viewing the predefined signature list IPS custom signatures Custom signaturesViewing the custom signature list Command syntax pattern Custom signature configurationAdding custom signatures using the web-based manager Adding custom signatures using the CLICustom signature fields Creating custom signaturesShows the valid characters for custom signature fields Srcport Custom signature syntaxAttackid Name BufferOverflowContent keywords Keyword and value Description Deprecated, see pattern and context keywords Context host Pattern GETContext uri Pattern yahoo.comUri !uristr PcreRegex/mdelim RegexdelimismxAEGRUIP header keywords Keyword and Value Description Protocol tcpTCP header keywords Keyword and Value Description Tcpflags S,12 Tcpflags APIcmp keywords Keyword and Value Usage UDP header keywords Keyword and Value DescriptionOther keywords Keyword and Value Description Example custom signatures Example 1 signature to block access to example.comSbid --name Block.example.com Sbid --name Block.example.com Sbid --name Block.SMTP.VRFY.CMD Example 2 signature to block the Smtp ‘vrfy’ commandSbid --name Block.SMTP.VRFY.CMD --pattern vrfy Creating custom signatures Protocol decoders Protocol decodersUpgrading the IPS protocol decoder list Protocol decoder list Protocols Protocol decoder names Port Viewing the protocol decoder listViewing the IPS sensor list AlldefaultAlldefaultpass IPS sensorsProtectemailserver Configuring IPS sensorsAdding an IPS sensor ProtectclientIPS sensor filters IPS sensor attributesDelete and Edit Delete or edit the filter Icons Configuring filtersReset IPS sensor overridesApplication Configuring pre-defined and custom overridesSource Exempt IPDoS sensors Appears, and select OK Configuring DoS sensorsViewing the DoS sensor list Sequence in which the sensors examine network trafficWill appear in the DoS sensor list Anomaly configurationDoS sensor attributes Name Enter or change the DoS sensor name CommentsUnderstanding the anomalies Udpsrcsession Anomaly Description TcpdstsessionUdpflood UdpscanUnderstanding the anomalies SYN flood attacks What is a SYN flood attack?How SYN floods work How IPS works to prevent SYN floods What is SYN threshold?What is SYN proxy? FortiGate IPS Response to SYN flood attacksIPS operation before synflood threshold is reached Suggested settings for different network conditions Configuring SYN flood protectionConfigure the options for tcpsynflood Select OK FortiGate IPS response to Icmp sweep attacks What is an Icmp sweep?Icmp sweep attacks How Icmp sweep attacks workPredefined Icmp signatures Icmp sweep anomalies Configuring Icmp sweep protection FortiGate Version 3.0 MR7 IPS User Guide IndexTechnical support