Manuals / Fortinet / Computer Equipment / Network Card

Fortinet IPS manual Creating custom signatures, Custom signature fields

Models: IPS

1 62

Download 62 pages 3.82 Kb

Page 23


Custom signatures	Creating custom signatures

Creating custom signatures

Custom signatures are added separately to each VDOM. In each VDOM, there can be a maximum of 255 custom signatures.

A custom signature definition is limited to a maximum length of 512 characters. A definition can be a single line or span multiple lines connected by a backslash (\) at the end of each line.

A custom signature definition begins with a header, followed by a set of keyword/value pairs enclosed by parenthesis [( )]. The keyword and value pairs are separated by a semi colon (;) and consist of a keyword and a value separated by a space. The basic format of a definition is HEADER (KEYWORD VALUE;)

You can use as many keyword/value pairs as required within the 512 character limit.

Custom signature fields

Table 1shows the valid characters for custom signature fields.

Table 1: Valid characters for custom signature fields

Field	Valid Characters	Usage

HEADER	F-SBID	The header for an attack definition
		signature. Each custom signature must
		begin with this header.

KEYWORD	Each keyword must start with	The keyword is used to identify a
	“--”, and be a string of 1 to 19	parameter. See “Custom signature
	characters.	syntax” on page 24 for tables of
	Normally, keywords are an	supported keywords.
	English word or English
	words connected by “_”.
	Keywords are case
	insensitive.

VALUE	Double quotes must be used	Set the value for a parameter identified
	around the value if it contains	by a keyword.
	a space and/or a semicolon.
	If the value is NULL, the
	space between the
	KEYWORD and VALUE can
	be omitted.
	Values are case sensitive.
	Note: if double quotes are
	used for quoting the value,
	the double quotes are not
	considered as part of the
	value string.

FortiGate IPS User Guide Version 3.0 MR7
01-30007-0080-20080916	23

Image 23

Fortinet IPS Creating custom signatures, Custom signature fields, Shows the valid characters for custom signature fields

Contents

E R G U I D E Trademarks Contents SYN flood attacks Protocol decodersIPS sensors DoS sensorsFortiGate IPS IntroductionTypographic conventions About this documentFortinet documentation Document conventionsFortiGate Pptp VPN User Guide Comments on Fortinet technical documentation Customer service and technical supportFortinet Knowledge Center This section contains the following topics IPS overview and general configurationIPS settings and controls Config ips global Set fail-open enable disable end When to use IPSDefault signature and anomaly settings Default fail open settingControlling sessions Setting the buffer sizeConfiguring logging and alert email Monitoring the network and dealing with attacksAttack log messages Signature FortiGuard Center AnomalySelect Create New Using IPS sensors in a protection profileCreating a protection profile that uses IPS sensors Adding protection profiles to firewall policiesAdding protection profiles to user groups Using IPS sensors in a protection profile Viewing the predefined signature list Predefined signaturesIPS predefined signatures Clear All Filters SettingsEnable ColumnCreate a sensor and add IPS filters to it Viewing the predefined signature list Viewing the custom signature list Custom signaturesIPS custom signatures Command syntax pattern Custom signature configurationAdding custom signatures using the web-based manager Adding custom signatures using the CLIShows the valid characters for custom signature fields Creating custom signaturesCustom signature fields Srcport Custom signature syntaxAttackid Name BufferOverflowContent keywords Keyword and value Description Deprecated, see pattern and context keywords Context host Pattern GETContext uri Pattern yahoo.comUri !uristr PcreRegex/mdelim RegexdelimismxAEGRUIP header keywords Keyword and Value Description Protocol tcpTCP header keywords Keyword and Value Description Tcpflags S,12 Tcpflags APOther keywords Keyword and Value Description UDP header keywords Keyword and Value DescriptionIcmp keywords Keyword and Value Usage Sbid --name Block.example.com Example 1 signature to block access to example.comExample custom signatures Sbid --name Block.example.com Sbid --name Block.SMTP.VRFY.CMD --pattern vrfy Example 2 signature to block the Smtp ‘vrfy’ commandSbid --name Block.SMTP.VRFY.CMD Creating custom signatures Upgrading the IPS protocol decoder list Protocol decodersProtocol decoders Protocol decoder list Protocols Protocol decoder names Port Viewing the protocol decoder listViewing the IPS sensor list AlldefaultAlldefaultpass IPS sensorsProtectemailserver Configuring IPS sensorsAdding an IPS sensor ProtectclientIPS sensor filters IPS sensor attributesDelete and Edit Delete or edit the filter Icons Configuring filtersReset IPS sensor overridesApplication Configuring pre-defined and custom overridesSource Exempt IPDoS sensors Appears, and select OK Configuring DoS sensorsViewing the DoS sensor list Sequence in which the sensors examine network trafficWill appear in the DoS sensor list Anomaly configurationDoS sensor attributes Name Enter or change the DoS sensor name CommentsUnderstanding the anomalies Udpsrcsession Anomaly Description TcpdstsessionUdpflood UdpscanUnderstanding the anomalies How SYN floods work What is a SYN flood attack?SYN flood attacks How IPS works to prevent SYN floods What is SYN threshold?What is SYN proxy? FortiGate IPS Response to SYN flood attacksIPS operation before synflood threshold is reached Configure the options for tcpsynflood Select OK Configuring SYN flood protectionSuggested settings for different network conditions FortiGate IPS response to Icmp sweep attacks What is an Icmp sweep?Icmp sweep attacks How Icmp sweep attacks workPredefined Icmp signatures Icmp sweep anomalies Configuring Icmp sweep protection FortiGate Version 3.0 MR7 IPS User Guide IndexTechnical support