Custom signatures
IPS custom signatures
FortiGate IPS User Guide Version 3.0 MR7
01-30007-0080-20080916
21
Custom signatures
Custom signatures provide the power and flexibility to customize the FortiGate
Intrusion Protection system for diverse network environments. The FortiGate
predefined signatures represent common attacks. If you use an unusual or
specialized application or an uncommon platform, you can add custom signatures
based on the security alerts released by the application and platform vendors.
You can also create custom signatures to help you block P2P protocols.
After creation, you need to specify custom signatures in IPS sensors created to
scan traffic.
This section describes:
•
IPS custom signatures
•
Viewing the custom signature list
•
Custom signature configuration
•
Creating custom signatures
IPS custom signatures
The FortiGate predefined signatures cover common attacks. If an unusual or
specialized application or an uncommon platform is being used, add custom
signatures based on the security alerts released by the application and platform
vendors.
Use custom signatures to block or allow specific traffic. For example, to block the
SMTP “vrfy” command, add custom signatures similar to the following:
F-SBID( --name "Block.SMTP.VRFY.CMD"; --protocol tcp;
--service SMTP; --pattern "vrfy"; --no_case;
--context header; )
Viewing the custom signature list
To view the custom signature list, go to
Intrusion Protection > Signature >
Custom
.
Figure 4: The custom signature list
Note:
If virtual domains are enabled on the FortiGate unit, IPS is configured separately in
each VDOM. Sensors, filters, and custom signatures will only appear in the VDOM in which
they were created.