Fortinet IPS - page 25

Custom signatures Creating custom signatures

FortiGate IPS User Guide Version 3.0 MR7

01-30007-0080-20080916 25

Table 4: Content keywords

Keyword and value Description

--byte_jump

<bytes_to_convert>,

<offset>[, relative]

[, big] [, little]

[, string] [, hex]

[, dec] [, oct]

[, align];

Use the byte_jump option to extract a number of

bytes from a packet, convert them to their numeric

representation, and jump the match reference up that

many bytes (for further pattern matching or byte

testing). This keyword allows relative pattern matches

to take into account numerical values found in network

data.

The available keyword options include:

•<bytes_to_convert>: The number of bytes to

examine from the packet.

•<offset>: The number of bytes into the payload to

start processing.

•relative: Use an offset relative to last pattern

match.

•big: Process the data as big endian (default).

•little: Process the data as little endian.

•string: The data is a string in the packet.

•hex: The converted string data is represented in

hexadecimal notation.

•dec: The converted string data is represented in

decimal notation.

•oct: The converted string data is represented in

octal notation.

•align: Round up the number of converted bytes to

the next 32-bit boundary.

Contents

Main Page Contents IPS overview and general configuration.......................................... 9 Predefined signatures ..................................................................... 17 Custom signatures........................................................................... 21 Protocol decoders ........................................................................... 37 DoS sensors..................................................................................... 45 SYN flood attacks ............................................................................ 51 ICMP sweep attacks......................................................................... 55 Introduction The FortiGate IPS About this document Document conventions Typographic conventions ! Page Fortinet Knowledge Center Comments on Fortinet technical documentation Customer service and technical support IPS overview and general configuration The FortiGate IPS IPS settings and controls When to use IPS Network performance Default signature and anomaly settings Default fail open setting Controlling sessions Setting the buffer size Monitoring the network and dealing with attacks Configuring logging and alert email Attack log messages Signature Anomaly The FortiGuard Center Using IPS sensors in a protection profile Creating a protection profile that uses IPS sensors Adding protection profiles to firewall policies Page Page Predefined signatures IPS predefined signatures Viewing the predefined signature list Fine tuning IPS predefined signatures for enhanced system performance Page Page Custom signatures IPS custom signatures Viewing the custom signature list Custom signature configuration Adding custom signatures using the web-based manager Adding custom signatures using the CLI Command syntax pattern Creating custom signatures Custom signature fields Custom signature syntax --attack_id 1234; ---name "Buffer_Overflow"; --src_port 41523; --flow bi_direction; Page Page Page Page --protocol tcp; Page --tcp_flags AP tcp_flags S,12 Page Example custom signatures Example 1: signature to block access to example.com Page Example 2: signature to block the SMTP vrfy command Page Protocol decoders Protocol decoders Upgrading the IPS protocol decoder list Page IPS sensors Viewing the IPS sensor list Adding an IPS sensor Configuring IPS sensors IPS sensor attributes: IPS sensor filters: IPS sensor overrides: Configuring filters Configuring pre-defined and custom overrides Page DoS sensors Viewing the DoS sensor list Configuring DoS sensors DoS sensor attributes: Anomaly configuration: Understanding the anomalies Page Page SYN flood attacks What is a SYN flood attack? How SYN floods work The FortiGate IPS Response to SYN flood attacks What is SYN threshold? What is SYN proxy? How IPS works to prevent SYN floods Page Configuring SYN flood protection Suggested settings for different network conditions ICMP sweep attacks What is an ICMP sweep? How ICMP sweep attacks work The FortiGate IPS response to ICMP sweep attacks Predefined ICMP signatures Tabl e 11 describes all the ICMP-related predefined signatures and the default settings for each. ICMP sweep anomalies Configuring ICMP sweep protection Suggested settings for different network conditions Index A C D F