UDP header keywords Keyword and Value Description | Fortinet IPS

Creating custom signatures

Custom signatures

Table 7: UDP header keywords

	Keyword and Value	Description

	--dst_port [!]{<port_int>	The destination port number.
	:<port_int> <port_int>:	You can specify a single port or port range:
	<port_int>:<port_int>};	• <port_int> is a single port.
		• :<port_int> includes the specified port and
			all lower numbered ports.
		• <port_int>: includes the specified port and
			all higher numbered ports.
		• <port_int>:<port_int> includes the two
			specified ports and all ports in between.
	--src_port [!]{<port_int>	The source port number.
	:<port_int> <port_int>:	You can specify a single port or port range:
	<port_int>:<port_int>};	• <port_int> is a single port.
		• :<port_int> includes the specified port and
			all lower numbered ports.
		• <port_int>: includes the specified port and
			all higher numbered ports.
		• <port_int>:<port_int> includes the two
			specified ports and all ports in between.
Table 8: ICMP keywords

	Keyword and Value	Usage

	--icmp_code <code_int>;	Specify the ICMP code to match.
	--icmp_id <id_int>;	Check for the specified ICMP ID value.
	--icmp_seq <seq_int>;	Check for the specified ICMP sequence value.
	--icmp_type <type_int>;	Specify the ICMP type to match.
Table 9: Other keywords

	Keyword and Value		Description

	--data_size {<size_int>		Test the packet payload size. With data_size
	<<size_int> ><size_int>		specified, packet reassembly is turned off
	<port_int><><port_int>};		automatically. So a signature with data_size
	<port_int><><port_int>};		and only_stream values set is wrong.
			and only_stream values set is wrong.
			• <size_int> is a particular packet size.
			• <<size_int> is a packet smaller than the
			specified size.
			• ><size_int> is a packet larger than the
			specified size.
			• <size_int><><size_int> within the
			range between the specified sizes.
	--data_at <offset_int>[,		Verify that the payload has data at a specified
	relative];		offset, optionally looking for data relative to the
			end of the previous content match.

	FortiGate IPS User Guide Version 3.0 MR7
32	01-30007-0080-20080916

Image 32

Fortinet IPS manual UDP header keywords Keyword and Value Description, Icmp keywords Keyword and Value Usage

Contents

E R G U I D E Trademarks Contents Protocol decoders IPS sensorsDoS sensors SYN flood attacks Introduction FortiGate IPS About this document Fortinet documentationDocument conventions Typographic conventions FortiGate Pptp VPN User Guide Comments on Fortinet technical documentation Customer service and technical supportFortinet Knowledge Center This section contains the following topics IPS overview and general configurationIPS settings and controls When to use IPS Default signature and anomaly settingsDefault fail open setting Config ips global Set fail-open enable disable end Setting the buffer size Configuring logging and alert emailMonitoring the network and dealing with attacks Controlling sessions Attack log messages Signature Anomaly FortiGuard Center Using IPS sensors in a protection profile Creating a protection profile that uses IPS sensorsAdding protection profiles to firewall policies Select Create New Adding protection profiles to user groups Using IPS sensors in a protection profile Viewing the predefined signature list Predefined signaturesIPS predefined signatures Settings EnableColumn Clear All Filters Create a sensor and add IPS filters to it Viewing the predefined signature list Viewing the custom signature list Custom signaturesIPS custom signatures Custom signature configuration Adding custom signatures using the web-based managerAdding custom signatures using the CLI Command syntax pattern Shows the valid characters for custom signature fields Creating custom signaturesCustom signature fields Custom signature syntax AttackidName BufferOverflow Srcport Content keywords Keyword and value Description Deprecated, see pattern and context keywords Pattern GET Context uriPattern yahoo.com Context host Pcre Regex/mdelimRegexdelimismxAEGRU Uri !uristr Protocol tcp IP header keywords Keyword and Value Description TCP header keywords Keyword and Value Description Tcpflags AP Tcpflags S,12 Other keywords Keyword and Value Description UDP header keywords Keyword and Value DescriptionIcmp keywords Keyword and Value Usage Sbid --name Block.example.com Example 1 signature to block access to example.comExample custom signatures Sbid --name Block.example.com Sbid --name Block.SMTP.VRFY.CMD --pattern vrfy Example 2 signature to block the Smtp ‘vrfy’ commandSbid --name Block.SMTP.VRFY.CMD Creating custom signatures Upgrading the IPS protocol decoder list Protocol decodersProtocol decoders Viewing the protocol decoder list Protocol decoder list Protocols Protocol decoder names Port Alldefault AlldefaultpassIPS sensors Viewing the IPS sensor list Configuring IPS sensors Adding an IPS sensorProtectclient Protectemailserver IPS sensor attributes IPS sensor filters Configuring filters ResetIPS sensor overrides Delete and Edit Delete or edit the filter Icons Configuring pre-defined and custom overrides Application Exempt IP Source DoS sensors Configuring DoS sensors Viewing the DoS sensor listSequence in which the sensors examine network traffic Appears, and select OK Anomaly configuration DoS sensor attributesName Enter or change the DoS sensor name Comments Will appear in the DoS sensor list Understanding the anomalies Anomaly Description Tcpdstsession UdpfloodUdpscan Udpsrcsession Understanding the anomalies How SYN floods work What is a SYN flood attack?SYN flood attacks What is SYN threshold? What is SYN proxy?FortiGate IPS Response to SYN flood attacks How IPS works to prevent SYN floods IPS operation before synflood threshold is reached Configure the options for tcpsynflood Select OK Configuring SYN flood protectionSuggested settings for different network conditions What is an Icmp sweep? Icmp sweep attacksHow Icmp sweep attacks work FortiGate IPS response to Icmp sweep attacks Predefined Icmp signatures Icmp sweep anomalies Configuring Icmp sweep protection Index FortiGate Version 3.0 MR7 IPS User Guide Technical support