Creating custom signatures | Custom signatures |
Table 4: Content keywords (Continued)
Keyword and value | Description |
|
|
| Similar to the pattern keyword, pcre is used to |
[!]"(/<regex>/m<delim>< | specify a pattern using |
regex><delim>)[ismxAEGRU | expressions (PCRE). A pcre keyword can be followed |
by a context keyword to define where to look for the | |
B]"; | pattern in the packet. If no context keyword is |
| present, the FortiGate unit looks for the pattern |
| anywhere in the packet buffer. |
| For more information about PCRE syntax, go to |
| http://www.pcre.org. |
| The switches include: |
| • i: Case insensitive. |
| • s: Include newlines in the dot metacharacter. |
| • m: By default, the string is treated as one big line of |
| characters. ^ and $ match at the beginning and |
| ending of the string. When m is set, ^ and $ match |
| immediately following or immediately before any |
| newline in the buffer, as well as the very start and |
| very end of the buffer. |
| • x: White space data characters in the pattern are |
| ignored except when escaped or inside a character |
| class. |
| • A: The pattern must match only at the start of the |
| buffer (same as ^ ). |
| • E: Set $ to match only at the end of the subject |
| string. Without E, $ also matches immediately |
| before the final character if it is a newline (but not |
| before any other newlines). |
| • G: Invert the "greediness" of the quantifiers so that |
| they are not greedy by default, but become greedy if |
| followed by ?. |
| • R: Match relative to the end of the last pattern |
| match. (Similar to distance:0;). |
| • U: Deprecated, see the context keyword. Match |
| the decoded URI buffers. |
| Deprecated, see pattern and context keywords. |
| The FortiGate unit will search for the URI in the packet |
| payload. The URI must be enclosed in double quotes. |
| To have the FortiGate search for a packet that does not |
| contain the specified URI, add an exclamation mark (!) |
| before the URI. |
| Multiple content items can be specified in one rule. The |
| value can contain mixed text and binary data. The |
| binary data is generally enclosed within the pipe () |
| character. |
| The double quote ("), pipe sign() and colon(:) |
| characters must be escaped using a back slash if |
| specified in a URI string. |
|
|
| When used with the distance keyword, the FortiGate |
| unit searches for the contents within the specified |
| number of bytes of the payload. |
| The within value must be between 0 and 65535. |
FortiGate IPS User Guide Version 3.0 MR7
28 |
