Fortinet Network Device IPS User Manual page 27

Custom signatures
FortiGate IPS User Guide Version 3.0 MR7
01-30007-0080-20080916
Table 4: Content keywords (Continued)
Keyword and value
--context {uri |
header | body | host};
--no_case;
--offset <offset_int>;
--pattern
[!]"<pattern_str>";
Description
Specify the protocol field that the pattern should be
looked for. If context is not specified for a pattern, the
FortiGate unit searches for the pattern anywhere in the
packet buffer. The available context variables are:
• uri: Search the pattern in HTTP URI line.
• header: Search the pattern in HTTP header lines
or SMTP/POP3/SMTP control messages.
• body: Search the pattern in HTTP body or
SMTP/POP3/SMTP email body.
• host: Search the pattern in HTTP HOST line.
Example:
--pattern "GET "
--context uri
--pattern "yahoo.com"
--context host
--no_case
--pcre "/DESCRIBE\s+\/\s+RTSP\//i"
--context header
The no-case keyword forced the FortiGate unit to
perform a case-insensitive pattern match.
The FortiGate unit starts looking for the contents the
specified number of bytes into the payload. The
specified number of bytes is an absolute value in the
payload. Follow the offset keyword with the depth
keyword to stop looking for a match after a specified
number of bytes. If no depth is specified, the FortiGate
unit continues looking for a match until the end of the
payload.
The offset must be between 0 and 65535.
The FortiGate unit will search for the specified pattern.
A pattern keyword normally is followed by a
context keyword to define where to look for the
pattern in the packet. If a context keyword does not
present, the FortiGate unit looks for the pattern
anywhere in the packet buffer.
To have the FortiGate search for a packet that does not
contain the specified URI, add an exclamation mark (!)
before the URI.
Example:
--pattern "/level/"
--pattern "|E8 D9FF FFFF|/bin/sh"
--pattern !"|20|RTSP/"
Creating custom signatures
27