Custom signatures
Creating custom signatures
FortiGate IPS User Guide Version 3.0 MR7
01-30007-0080-20080916
25
Table 4: Content keywords
Keyword and value
Description
--byte_jump
<bytes_to_convert>,
<offset>[, relative]
[, big] [, little]
[, string] [, hex]
[, dec] [, oct]
[, align];
Use the
byte_jump
option to extract a number of
bytes from a packet, convert them to their numeric
representation, and jump the match reference up that
many bytes (for further pattern matching or byte
testing). This keyword allows relative pattern matches
to take into account numerical values found in network
data.
The available keyword options include:
•
<bytes_to_convert>
: The number of bytes to
examine from the packet.
•
<offset>
: The number of bytes into the payload to
start processing.
•
relative
: Use an offset relative to last pattern
match.
•
big
: Process the data as big endian (default).
•
little
: Process the data as little endian.
•
string
: The data is a string in the packet.
•
hex
: The converted string data is represented in
hexadecimal notation.
•
dec
: The converted string data is represented in
decimal notation.
•
oct
: The converted string data is represented in
octal notation.
•
align
: Round up the number of converted bytes to
the next 32-bit boundary.