Table of Contents
Advertisement
Creating custom signatures
Custom signature syntax
24
Table 2: Information keywords
Keyword and value
--attack_id <id_int>; This optional value is used to identify the signature. It
--name <name_str>;
Table 3: Session keywords
Keyword and value
--flow {from_client |
from_server |
bi_direction };
--service {HTTP | TELNET
| FTP | DNS | SMTP | POP3
| IMAP | SNMP | RADIUS |
LDAP | MSSQL | RPC | SIP
| H323 | NBSS | DCERPC |
SSH | SSL};
Description
cannot be the same value as any other custom rules within
the same VDOM. If an attack ID is not specified, the
FortiGate automatically assigns an attack ID to the
signature.
An attack ID you assign must be between 1000 and 9999.
Example:
--attack_id 1234;
Enter the name of the rule. A rule name must be unique
within the same VDOM.
The name you assign must be a string greater than 0 and
less than 64 characters in length.
Example:
---name "Buffer_Overflow";
Description
Specify the traffic direction and state to be inspected.
They can be used for all IP traffic.
Example:
--src_port 41523;
--flow bi_direction;
The signature checks traffic to and from port 41523.
Previous FortiOS versions used to_client and
to_server values. These are now deprecated, but
still function for backwards compatibility.
Specify the protocol type to be inspected.
This keyword allows you to specify the traffic type by
protocol rather than by port. If the decoder has the
capability to identify the protocol on any port, the
signature can be used to detect the attack no matter
what port the service is running on. Currently, HTTP,
SIP, SSL, and SSH protocols can be identified on any
port based on the content.
FortiGate IPS User Guide Version 3.0 MR7
Custom signatures
01-30007-0080-20080916
- Quick Links:
- Ips Custom Signatures
Hide quick links:
Advertisement
Table of Contents
Need help?
Do you have a question about the Network Device IPS and is the answer not in the manual?
Questions and answers