FortiGate IPS User Guide Version 3.0 MR7
26
01-30007-0080-20080916
Creating custom signatures
Custom signatures
--byte_test
<bytes_to_convert>,
<operator>, <value>,
<offset>[, relative]
[, big] [, little]
[, string] [, hex]
[, dec] [, oct];
The FortiGate unit compares a byte field against a
specific value (with operator). This keyword is capable
of testing binary values or converting representative
byte strings to their binary equivalent and testing them.
The available keyword options include:
•
<bytes_to_convert>
: The number of bytes to
compare.
•
<operator>
: The operation to perform when
comparing the value (<,>,=,!,&).
•
<value>
: The value to compare the converted
value against.
•
<offset>
: The number of bytes into the payload to
start processing.
•
relative
: Use an offset relative to last pattern
match.
•
big
: Process the data as big endian (default).
•
little
: Process the data as little endian.
•
string
: The data is a string in the packet.
•
hex
: The converted string data is represented in
hexadecimal notation.
•
dec
: The converted string data is represented in
decimal notation.
•
oct
: The converted string data is represented in
octal notation.
--depth <depth_int>;
The FortiGate unit looks for the contents within the
specified number of bytes after the starting point
defined by the
offset
keyword. If no
offset
is
specified, the
offset
is assumed to be equal to 0.
If the value of the
depth
keyword is smaller than the
length of the value of the
content
keyword, this
signature will never be matched.
The
depth
must be between 0 and 65535.
--distance <dist_int>;
The FortiGate unit searches for the contents within the
specified number of bytes relative to the end of the
previously matched contents. If the
within
keyword is
not specified, continue looking for a match until the end
of the payload.
The
distance
must be between 0 and 65535.
--content
[!]"<content_str>";
Deprecated, see
pattern
and
context
keywords.
The FortiGate unit will search for the content string in
the packet payload. The content string must be
enclosed in double quotes.
To have the FortiGate search for a packet that does not
contain the specified context string, add an exclamation
mark (!) before the content string.
Multiple content items can be specified in one rule. The
value can contain mixed text and binary data. The
binary data is generally enclosed within the pipe (|)
character.
The double quote ("), pipe sign(|) and colon(:)
characters must be escaped using a back slash if
specified in a content string.
Table 4: Content keywords (Continued)
Keyword and value
Description
Содержание FortiGate 3.0 MR7
Страница 1: ...www fortinet com FortiGate IPS User Guide Version 3 0 MR7 U S E R G U I D E...
Страница 50: ...FortiGate IPS User Guide Version 3 0 MR7 50 01 30007 0080 20080916 Understanding the anomalies DoS sensors...
Страница 60: ...FortiGate Version 3 0 MR7 IPS User Guide 60 01 30007 0080 20080916 Index T technical support 8...
Страница 61: ...www fortinet com...
Страница 62: ...www fortinet com...