Content keywords Keyword and value Description | Fortinet IPS


Custom signatures	Creating custom signatures

Table 4: Content keywords

Keyword and value	Description

--byte_jump	Use the byte_jump option to extract a number of
<bytes_to_convert>,	bytes from a packet, convert them to their numeric
<offset>[, relative]	representation, and jump the match reference up that
<offset>[, relative]	many bytes (for further pattern matching or byte
[, big] [, little]	testing). This keyword allows relative pattern matches
[, string] [, hex]	to take into account numerical values found in network
[, dec] [, oct]	data.
[, align];	The available keyword options include:
	• <bytes_to_convert>: The number of bytes to
	examine from the packet.
	• <offset>: The number of bytes into the payload to
	start processing.
	• relative: Use an offset relative to last pattern
	match.
	• big: Process the data as big endian (default).
	• little: Process the data as little endian.
	• string: The data is a string in the packet.
	• hex: The converted string data is represented in
	hexadecimal notation.
	• dec: The converted string data is represented in
	decimal notation.
	• oct: The converted string data is represented in
	octal notation.
	• align: Round up the number of converted bytes to
	the next 32-bit boundary.

FortiGate IPS User Guide Version 3.0 MR7
01-30007-0080-20080916	25

Image 25

Fortinet IPS manual Content keywords Keyword and value Description

Contents

E R G U I D E Trademarks Contents IPS sensors Protocol decodersDoS sensors SYN flood attacks FortiGate IPS Introduction Fortinet documentation About this documentDocument conventions Typographic conventions FortiGate Pptp VPN User Guide Fortinet Knowledge Center Customer service and technical supportComments on Fortinet technical documentation IPS settings and controls IPS overview and general configurationThis section contains the following topics Default signature and anomaly settings When to use IPSDefault fail open setting Config ips global Set fail-open enable disable end Configuring logging and alert email Setting the buffer sizeMonitoring the network and dealing with attacks Controlling sessions Attack log messages Signature FortiGuard Center Anomaly Creating a protection profile that uses IPS sensors Using IPS sensors in a protection profileAdding protection profiles to firewall policies Select Create New Adding protection profiles to user groups Using IPS sensors in a protection profile IPS predefined signatures Predefined signaturesViewing the predefined signature list Enable SettingsColumn Clear All Filters Create a sensor and add IPS filters to it Viewing the predefined signature list IPS custom signatures Custom signaturesViewing the custom signature list Adding custom signatures using the web-based manager Custom signature configurationAdding custom signatures using the CLI Command syntax pattern Custom signature fields Creating custom signaturesShows the valid characters for custom signature fields Attackid Custom signature syntaxName BufferOverflow Srcport Content keywords Keyword and value Description Deprecated, see pattern and context keywords Context uri Pattern GETPattern yahoo.com Context host Regex/mdelim PcreRegexdelimismxAEGRU Uri !uristr IP header keywords Keyword and Value Description Protocol tcp TCP header keywords Keyword and Value Description Tcpflags S,12 Tcpflags AP Icmp keywords Keyword and Value Usage UDP header keywords Keyword and Value DescriptionOther keywords Keyword and Value Description Example custom signatures Example 1 signature to block access to example.comSbid --name Block.example.com Sbid --name Block.example.com Sbid --name Block.SMTP.VRFY.CMD Example 2 signature to block the Smtp ‘vrfy’ commandSbid --name Block.SMTP.VRFY.CMD --pattern vrfy Creating custom signatures Protocol decoders Protocol decodersUpgrading the IPS protocol decoder list Protocol decoder list Protocols Protocol decoder names Port Viewing the protocol decoder list Alldefaultpass AlldefaultIPS sensors Viewing the IPS sensor list Adding an IPS sensor Configuring IPS sensorsProtectclient Protectemailserver IPS sensor filters IPS sensor attributes Reset Configuring filtersIPS sensor overrides Delete and Edit Delete or edit the filter Icons Application Configuring pre-defined and custom overrides Source Exempt IP DoS sensors Viewing the DoS sensor list Configuring DoS sensorsSequence in which the sensors examine network traffic Appears, and select OK DoS sensor attributes Anomaly configurationName Enter or change the DoS sensor name Comments Will appear in the DoS sensor list Understanding the anomalies Udpflood Anomaly Description TcpdstsessionUdpscan Udpsrcsession Understanding the anomalies SYN flood attacks What is a SYN flood attack?How SYN floods work What is SYN proxy? What is SYN threshold?FortiGate IPS Response to SYN flood attacks How IPS works to prevent SYN floods IPS operation before synflood threshold is reached Suggested settings for different network conditions Configuring SYN flood protectionConfigure the options for tcpsynflood Select OK Icmp sweep attacks What is an Icmp sweep?How Icmp sweep attacks work FortiGate IPS response to Icmp sweep attacks Predefined Icmp signatures Icmp sweep anomalies Configuring Icmp sweep protection FortiGate Version 3.0 MR7 IPS User Guide Index Technical support