Fortinet IPS manual Sbid --name Block.example.com

Page 34

Creating custom signatures

Custom signatures

The FortiGate unit will limit its search for the pattern to the HTTP protocol. Even though the HTTP protocol uses only TCP traffic, the FortiGate will search for HTTP protocol communication in TCP, UDP, and ICMP traffic. This is a needless waste of system resources.

5Specifying the traffic type.

Use the --protocol tcp keyword to limit the effect of the custom signature to only TCP traffic. This will save system resources by not unnecessarily scanning UDP and ICMP traffic.

F-SBID( --name "Block.example.com"; --pattern "example.com"; --service HTTP; --protocol tcp; )

The FortiGate unit will limit its search for the pattern to TCP traffic and ignore UDP and ICMP network traffic.

6Ignoring case sensitivity

By default, patterns are case sensitive. If a user directed his or her browser to Example.com, the custom signature would not recognize the URL as a match.

Use the --no_casekeyword to make the pattern matching case insensitive.

F-SBID( --name "Block.example.com"; --pattern "example.com"; --service HTTP; --no_case; )

Unlike all of the other keywords in this example, the --no_casekeyword has no value. Only the keyword is required.

7Limiting pattern scans to only traffic sent from the client

The --flowcommand can be used to further limit the network traffic being scanned to only that send by the client or by the server.

F-SBID( --name "Block.example.com";

--pattern "example.com"; --service HTTP; --no_case; --flow from_client; )

Web servers don’t contact clients until clients first open a communication session. Therefore, using the --flow from_client command will force the FortiGate until to ignore all traffic originating from the server. Since the majority of HTTP traffic flows from the server to the client, this will save considerable system resources and still maintain protection.

8Specifying the context

When the client browser tries to contact example.com, a DNS is first consulted to get the example.com server IP address. The IP address is then specified in the URL field of the HTTP communication. The domain name will still appear in the host field so this custom signature will not function without the --context host keyword/value pair.

F-SBID( --name "Block.example.com";

--pattern "example.com"; --service HTTP; --no_case; --flow from_client; --context host; )

 

FortiGate IPS User Guide Version 3.0 MR7

34

01-30007-0080-20080916

Image 34
Contents E R G U I D E Trademarks Contents DoS sensors Protocol decodersIPS sensors SYN flood attacksIntroduction FortiGate IPSDocument conventions About this documentFortinet documentation Typographic conventionsFortiGate Pptp VPN User Guide Fortinet Knowledge Center Customer service and technical supportComments on Fortinet technical documentation IPS settings and controls IPS overview and general configurationThis section contains the following topics Default fail open setting When to use IPSDefault signature and anomaly settings Config ips global Set fail-open enable disable endMonitoring the network and dealing with attacks Setting the buffer sizeConfiguring logging and alert email Controlling sessionsAttack log messages Signature Anomaly FortiGuard CenterAdding protection profiles to firewall policies Using IPS sensors in a protection profileCreating a protection profile that uses IPS sensors Select Create NewAdding protection profiles to user groups Using IPS sensors in a protection profile IPS predefined signatures Predefined signaturesViewing the predefined signature list Column SettingsEnable Clear All FiltersCreate a sensor and add IPS filters to it Viewing the predefined signature list IPS custom signatures Custom signaturesViewing the custom signature list Adding custom signatures using the CLI Custom signature configurationAdding custom signatures using the web-based manager Command syntax patternCustom signature fields Creating custom signaturesShows the valid characters for custom signature fields Name BufferOverflow Custom signature syntaxAttackid SrcportContent keywords Keyword and value Description Deprecated, see pattern and context keywords Pattern yahoo.com Pattern GETContext uri Context hostRegexdelimismxAEGRU PcreRegex/mdelim Uri !uristrProtocol tcp IP header keywords Keyword and Value DescriptionTCP header keywords Keyword and Value Description Tcpflags AP Tcpflags S,12Icmp keywords Keyword and Value Usage UDP header keywords Keyword and Value DescriptionOther keywords Keyword and Value Description Example custom signatures Example 1 signature to block access to example.comSbid --name Block.example.com Sbid --name Block.example.com Sbid --name Block.SMTP.VRFY.CMD Example 2 signature to block the Smtp ‘vrfy’ commandSbid --name Block.SMTP.VRFY.CMD --pattern vrfy Creating custom signatures Protocol decoders Protocol decodersUpgrading the IPS protocol decoder list Viewing the protocol decoder list Protocol decoder list Protocols Protocol decoder names PortIPS sensors AlldefaultAlldefaultpass Viewing the IPS sensor listProtectclient Configuring IPS sensorsAdding an IPS sensor ProtectemailserverIPS sensor attributes IPS sensor filtersIPS sensor overrides Configuring filtersReset Delete and Edit Delete or edit the filter IconsConfiguring pre-defined and custom overrides ApplicationExempt IP SourceDoS sensors Sequence in which the sensors examine network traffic Configuring DoS sensorsViewing the DoS sensor list Appears, and select OKName Enter or change the DoS sensor name Comments Anomaly configurationDoS sensor attributes Will appear in the DoS sensor listUnderstanding the anomalies Udpscan Anomaly Description TcpdstsessionUdpflood UdpsrcsessionUnderstanding the anomalies SYN flood attacks What is a SYN flood attack?How SYN floods work FortiGate IPS Response to SYN flood attacks What is SYN threshold?What is SYN proxy? How IPS works to prevent SYN floodsIPS operation before synflood threshold is reached Suggested settings for different network conditions Configuring SYN flood protectionConfigure the options for tcpsynflood Select OK How Icmp sweep attacks work What is an Icmp sweep?Icmp sweep attacks FortiGate IPS response to Icmp sweep attacksPredefined Icmp signatures Icmp sweep anomalies Configuring Icmp sweep protection Index FortiGate Version 3.0 MR7 IPS User GuideTechnical support