Custom signatures

Creating custom signatures

Table 4: Content keywords (Continued)

Keyword and value

Description

 

 

--context {uri

Specify the protocol field that the pattern should be

header body host};

looked for. If context is not specified for a pattern, the

FortiGate unit searches for the pattern anywhere in the

 

packet buffer. The available context variables are:

 

uri: Search the pattern in HTTP URI line.

 

header: Search the pattern in HTTP header lines

 

or SMTP/POP3/SMTP control messages.

 

body: Search the pattern in HTTP body or

 

SMTP/POP3/SMTP email body.

 

host: Search the pattern in HTTP HOST line.

 

Example:

 

--pattern "GET "

 

--context uri

 

--pattern "yahoo.com"

 

--context host

 

--no_case

 

--pcre "/DESCRIBE\s+\/\s+RTSP\//i"

 

--context header

--no_case;

The no-case keyword forced the FortiGate unit to

 

perform a case-insensitive pattern match.

--offset <offset_int>;

The FortiGate unit starts looking for the contents the

 

specified number of bytes into the payload. The

 

specified number of bytes is an absolute value in the

 

payload. Follow the offset keyword with the depth

 

keyword to stop looking for a match after a specified

 

number of bytes. If no depth is specified, the FortiGate

 

unit continues looking for a match until the end of the

 

payload.

 

The offset must be between 0 and 65535.

--pattern

The FortiGate unit will search for the specified pattern.

[!]"<pattern_str>";

A pattern keyword normally is followed by a

 

context keyword to define where to look for the

 

pattern in the packet. If a context keyword does not

 

present, the FortiGate unit looks for the pattern

 

anywhere in the packet buffer.

 

To have the FortiGate search for a packet that does not

 

contain the specified URI, add an exclamation mark (!)

 

before the URI.

 

Example:

 

--pattern "/level/"

 

--pattern "E8 D9FF FFFF/bin/sh"

 

--pattern !"20RTSP/"

FortiGate IPS User Guide Version 3.0 MR7

 

01-30007-0080-20080916

27

Page 27
Image 27
Fortinet IPS manual Pattern GET, Context uri, Pattern yahoo.com, Context host, Nocase, Pcre /DESCRIBE\s+\/\s+RTSP\//i