Creating custom signatures

Custom signatures

Use the --protocol tcp keyword to limit the effect of the custom signature to only TCP traffic. This will save system resources by not unnecessarily scanning UDP and ICMP traffic.

F-SBID( --name "Block.SMTP.VRFY.CMD"; --pattern "vrfy"; --service SMTP; --protocol tcp; )

The FortiGate unit will limit its search for the pattern to TCP traffic and ignore the pattern in UDP and ICMP network traffic.

6Ignoring case sensitivity

By default, patterns are case sensitive. If a user directed his or her browser to Example.com, the custom signature would not recognize the URL as a match.

Use the --no_casekeyword to make the pattern matching case insensitive.

F-SBID( --name "Block.SMTP.VRFY.CMD"; --pattern "vrfy"; --service SMTP; --no_case; )

Unlike all of the other keywords in this example, the --no_casekeyword has no value. Only the keyword is required.

7Specifying the context

The SMTP vrfy command will appear in the SMTP header. The

--context host keyword/value pair allows you to limit the pattern search to only the header.

F-SBID( --name "Block.SMTP.VRFY.CMD"; --pattern "vrfy"; --service SMTP; --no_case; --context header; )

 

FortiGate IPS User Guide Version 3.0 MR7

36

01-30007-0080-20080916

Page 36
Image 36
Fortinet IPS manual Creating custom signatures