FortiGate IPS User Guide Version 3.0 MR7
24
01-30007-0080-20080916
Creating custom signatures
Custom signatures
Custom signature syntax
Table 2: Information keywords
Keyword and value
Description
--attack_id <id_int>;
This optional value is used to identify the signature. It
cannot be the same value as any other custom rules within
the same VDOM. If an attack ID is not specified, the
FortiGate automatically assigns an attack ID to the
signature.
An attack ID you assign must be between 1000 and 9999.
Example:
--attack_id 1234;
--name <name_str>;
Enter the name of the rule. A rule name must be unique
within the same VDOM.
The name you assign must be a string greater than 0 and
less than 64 characters in length.
Example:
---name "Buffer_Overflow";
Table 3: Session keywords
Keyword and value
Description
--flow {from_client |
from_server |
bi_direction };
Specify the traffic direction and state to be inspected.
They can be used for all IP traffic.
Example:
--src_port 41523;
--flow bi_direction;
The signature checks traffic to and from port 41523.
Previous FortiOS versions used
to_client
and
to_server
values. These are now deprecated, but
still function for backwards compatibility.
--service {HTTP | TELNET
| FTP | DNS | SMTP | POP3
| IMAP | SNMP | RADIUS |
LDAP | MSSQL | RPC | SIP
| H323 | NBSS | DCERPC |
SSH | SSL};
Specify the protocol type to be inspected.
This keyword allows you to specify the traffic type by
protocol rather than by port. If the decoder has the
capability to identify the protocol on any port, the
signature can be used to detect the attack no matter
what port the service is running on. Currently, HTTP,
SIP, SSL, and SSH protocols can be identified on any
port based on the content.