FortiGate IPS User Guide Version 3.0 MR7
28
01-30007-0080-20080916
Creating custom signatures
Custom signatures
--pcre
[!]"(/<regex>/|m<delim><
regex><delim>)[ismxAEGRU
B]";
Similar to the
pattern
keyword,
pcre
is used to
specify a pattern using Perl-compatible regular
expressions (PCRE). A
pcre
keyword can be followed
by a
context
keyword to define where to look for the
pattern in the packet. If no
context
keyword is
present, the FortiGate unit looks for the pattern
anywhere in the packet buffer.
For more information about PCRE syntax, go to
http://www.pcre.org
.
The switches include:
•
i
: Case insensitive.
•
s
: Include newlines in the dot metacharacter.
•
m
: By default, the string is treated as one big line of
characters.
^
and
$
match at the beginning and
ending of the string. When
m
is set,
^
and
$
match
immediately following or immediately before any
newline in the buffer, as well as the very start and
very end of the buffer.
•
x
: White space data characters in the pattern are
ignored except when escaped or inside a character
class.
•
A
: The pattern must match only at the start of the
buffer (same as
^
).
•
E
: Set
$
to match only at the end of the subject
string. Without
E
,
$
also matches immediately
before the final character if it is a newline (but not
before any other newlines).
•
G
: Invert the "greediness" of the quantifiers so that
they are not greedy by default, but become greedy if
followed by
?
.
•
R
: Match relative to the end of the last pattern
match. (Similar to distance:0;).
•
U
: Deprecated, see the
context
keyword. Match
the decoded URI buffers.
--uri [!]"<uri_str>";
Deprecated, see
pattern
and
context
keywords.
The FortiGate unit will search for the URI in the packet
payload. The URI must be enclosed in double quotes.
To have the FortiGate search for a packet that does not
contain the specified URI, add an exclamation mark (!)
before the URI.
Multiple content items can be specified in one rule. The
value can contain mixed text and binary data. The
binary data is generally enclosed within the pipe (|)
character.
The double quote ("), pipe sign(|) and colon(:)
characters must be escaped using a back slash if
specified in a URI string.
--within <within_int>;
When used with the
distance
keyword, the FortiGate
unit searches for the contents within the specified
number of bytes of the payload.
The
within
value must be between 0 and 65535.
Table 4: Content keywords (Continued)
Keyword and value
Description