Creating custom signatures

Custom signatures

Custom signature syntax

Table 2: Information keywords

Keyword and value

Description

 

 

 

--attack_id <id_int>;

This optional value is used to identify the signature. It

 

cannot be the same value as any other custom rules within

 

the same VDOM. If an attack ID is not specified, the

 

FortiGate automatically assigns an attack ID to the

 

signature.

 

An attack ID you assign must be between 1000 and 9999.

 

Example:

 

 

--attack_id 1234;

--name <name_str>;

Enter the name of the rule. A rule name must be unique

 

within the same VDOM.

 

The name you assign must be a string greater than 0 and

 

less than 64 characters in length.

 

Example:

 

 

---name "Buffer_Overflow";

Table 3: Session keywords

 

 

 

 

 

 

 

Keyword and value

 

 

Description

 

 

 

 

--flow {from_client

 

 

Specify the traffic direction and state to be inspected.

from_server

 

 

They can be used for all IP traffic.

bi_direction };

 

 

Example:

 

 

 

--src_port 41523;

 

 

 

--flow bi_direction;

 

 

 

The signature checks traffic to and from port 41523.

 

 

 

Previous FortiOS versions used to_client and

 

 

 

to_server values. These are now deprecated, but

 

 

 

still function for backwards compatibility.

--service {HTTP TELNET

 

Specify the protocol type to be inspected.

FTP DNS SMTP POP3

 

This keyword allows you to specify the traffic type by

IMAP SNMP RADIUS

 

protocol rather than by port. If the decoder has the

LDAP MSSQL RPC SIP

 

capability to identify the protocol on any port, the

 

signature can be used to detect the attack no matter

H323 NBSS DCERPC

 

what port the service is running on. Currently, HTTP,

SSH SSL};

 

 

SIP, SSL, and SSH protocols can be identified on any

 

 

 

port based on the content.

 

FortiGate IPS User Guide Version 3.0 MR7

24

01-30007-0080-20080916

Page 24
Image 24
Fortinet IPS manual Custom signature syntax, Attackid, Name BufferOverflow, Srcport, Flow bidirection