Fortinet Creating Custom Application Signatures for FortiGate IPS: A Comprehensive Guide
Page 33

 

 

 

Custom signatures

Creating custom signatures

Table 9: Other keywords (Continued)

Keyword and Value

Description

 

 

--rpc_num<app_int>[,

Check for RPC application, version, and

<ver_int> *][,

procedure numbers in SUNRPC CALL

<proc_int> *>];

requests. The * wildcard can be used for

version and procedure numbers.

 

 

--same_ip;

The source and the destination have the same

 

IP addresses.

Example custom signatures

Custom signature fields and syntax are fully described in this chapter, though using them to build a custom signature can be complex. It’s best to start with a simpler signature.

Example 1: signature to block access to example.com

In this first example, we will create a custom signature to block access to the example.com URL.

1Custom signature basic format

All custom signatures have a header, and at least one keyword/value pair. The header is always the same:

F-SBID( )

The keyword/value pairs appear within the parentheses and each pair is followed by a semicolon.

2Choosing a name for the custom signature

Every custom signature requires a name, so it is good practice to assign a name before any other keywords are added.

Use the --namekeyword to assign the custom signature a name. The name value follows the keyword after a space. Enclose the name value in double- quotes:

F-SBID( --name "Block.example.com"; )

The signature, as it appears here, will not do anything if used. It has a name, but doesn’t look for any patterns in network traffic. You must specify a pattern for the FortiGate unit to search for.

3Adding a signature pattern

Use the --patternkeyword to specify what the FortiGate unit will search for:

F-SBID( --name "Block.example.com"; --pattern "example.com"; )

The signature will now detect the example.com URL appearing in network traffic. The custom signature should only detect the URL in HTTP traffic, however. Any other traffic with the URL should be allowed to pass. For example, an Email message to or from example.com should not be stopped.

4Specifying the service

Use the --servicekeyword to limit the effect of the custom signature to only the HTTP protocol.

F-SBID( --name "Block.example.com"; --pattern

"example.com"; --service HTTP; )

FortiGate IPS User Guide Version 3.0 MR7

 

01-30007-0080-20080916

33

Page 32 Page 34
Image 33
Page 32 Page 34
Contents E R G U I D E Trademarks Contents IPS sensors Protocol decodersDoS sensors SYN flood attacksFortiGate IPS IntroductionFortinet documentation About this documentDocument conventions Typographic conventionsFortiGate Pptp VPN User Guide Customer service and technical support Fortinet Knowledge CenterComments on Fortinet technical documentation IPS overview and general configuration IPS settings and controlsThis section contains the following topics Default signature and anomaly settings When to use IPSDefault fail open setting Config ips global Set fail-open enable disable endConfiguring logging and alert email Setting the buffer sizeMonitoring the network and dealing with attacks Controlling sessionsAttack log messages Signature FortiGuard Center AnomalyCreating a protection profile that uses IPS sensors Using IPS sensors in a protection profileAdding protection profiles to firewall policies Select Create NewAdding protection profiles to user groups Using IPS sensors in a protection profile Predefined signatures IPS predefined signaturesViewing the predefined signature list Enable SettingsColumn Clear All FiltersCreate a sensor and add IPS filters to it Viewing the predefined signature list Custom signatures IPS custom signaturesViewing the custom signature list Adding custom signatures using the web-based manager Custom signature configurationAdding custom signatures using the CLI Command syntax patternCreating custom signatures Custom signature fieldsShows the valid characters for custom signature fields Attackid Custom signature syntaxName BufferOverflow SrcportContent keywords Keyword and value Description Deprecated, see pattern and context keywords Context uri Pattern GETPattern yahoo.com Context hostRegex/mdelim PcreRegexdelimismxAEGRU Uri !uristrIP header keywords Keyword and Value Description Protocol tcpTCP header keywords Keyword and Value Description Tcpflags S,12 Tcpflags APUDP header keywords Keyword and Value Description Icmp keywords Keyword and Value UsageOther keywords Keyword and Value Description Example 1 signature to block access to example.com Example custom signaturesSbid --name Block.example.com Sbid --name Block.example.com Example 2 signature to block the Smtp ‘vrfy’ command Sbid --name Block.SMTP.VRFY.CMDSbid --name Block.SMTP.VRFY.CMD --pattern vrfy Creating custom signatures Protocol decoders Protocol decodersUpgrading the IPS protocol decoder list Protocol decoder list Protocols Protocol decoder names Port Viewing the protocol decoder listAlldefaultpass AlldefaultIPS sensors Viewing the IPS sensor listAdding an IPS sensor Configuring IPS sensorsProtectclient ProtectemailserverIPS sensor filters IPS sensor attributesReset Configuring filtersIPS sensor overrides Delete and Edit Delete or edit the filter IconsApplication Configuring pre-defined and custom overridesSource Exempt IPDoS sensors Viewing the DoS sensor list Configuring DoS sensorsSequence in which the sensors examine network traffic Appears, and select OKDoS sensor attributes Anomaly configurationName Enter or change the DoS sensor name Comments Will appear in the DoS sensor listUnderstanding the anomalies Udpflood Anomaly Description TcpdstsessionUdpscan UdpsrcsessionUnderstanding the anomalies What is a SYN flood attack? SYN flood attacksHow SYN floods work What is SYN proxy? What is SYN threshold?FortiGate IPS Response to SYN flood attacks How IPS works to prevent SYN floodsIPS operation before synflood threshold is reached Configuring SYN flood protection Suggested settings for different network conditionsConfigure the options for tcpsynflood Select OK Icmp sweep attacks What is an Icmp sweep?How Icmp sweep attacks work FortiGate IPS response to Icmp sweep attacksPredefined Icmp signatures Icmp sweep anomalies Configuring Icmp sweep protection FortiGate Version 3.0 MR7 IPS User Guide IndexTechnical support
Top Page Image Contents