Custom signatures
Creating custom signatures
FortiGate IPS User Guide Version 3.0 MR7
01-30007-0080-20080916
29
Table 5: IP header keywords
Keyword and Value
Description
--dst_addr [!]<ipv4>;
The destination IP address.
To have the FortiGate search for a packet that does
not contain the specified address, add an
exclamation mark (!) before the IP address.
You can define up to 28 IP addresses or CIDR
blocks. Enclose the comma separated list in square
brackets.
Example:
•
dst_addr [172.20.0.0/16,10.1.0.0/16,
192.168.0.0/16]
--ip_id <field_int>;
Check the IP ID field for the specified value.
--ip_option {rr | eol | nop
| ts | sec | lsrr | ssrr |
satid | any};
Use the
ip_option
keyword to check various IP
option settings. The available options include:
•
rr
: Check if IP RR (record route) option is
present.
•
eol
: Check if IP EOL (end of list) option is
present.
•
nop
: Check if IP NOP (no op) option is present.
•
ts
: Check if IP TS (time stamp) option is
present.
•
sec
: Check if IP SEC (IP security) option is
present.
•
lsrr
: Check if IP LSRR (loose source routing)
option is present.
•
ssrr
: Check if IP SSRR (strict source routing)
option is present.
•
satid
: Check if IP SATID (stream identifier)
option is present.
•
any
: Check if IP any option is present.
--ip_tos <field_int>;
Check the IP TOS field for the specified value.
--ip_ttl [< | >] <ttl_int>;
Check the IP time-to-live value against the
specified value. Optionally, you can check for an IP
time-to-live greater-than (>) or less-than (<) the
specified value with the appropriate symbol.
--protocol
{<protocol_int> | tcp |
udp | icmp};
Check the IP protocol header.
Example:
--protocol tcp;
--src_addr [!]<ipv4>;
The source IP address.
To have the FortiGate search for a packet that does
not contain the specified address, add an
exclamation mark (!) before the IP address.
You can define up to 28 IP addresses or CIDR
blocks. Enclose the comma separated list in square
brackets.
Example:
•
src_addr 192.168.13.0/24