Custom signatures
Creating custom signatures
FortiGate IPS User Guide Version 3.0 MR7
01-30007-0080-20080916
27
--context {uri |
header | body | host};
Specify the protocol field that the pattern should be
looked for. If context is not specified for a pattern, the
FortiGate unit searches for the pattern anywhere in the
packet buffer. The available context variables are:
•
uri
: Search the pattern in HTTP URI line.
•
header
: Search the pattern in HTTP header lines
or SMTP/POP3/SMTP control messages.
•
body
: Search the pattern in HTTP body or
SMTP/POP3/SMTP email body.
•
host
: Search the pattern in HTTP HOST line.
Example:
--pattern "GET "
--context uri
--pattern "yahoo.com"
--context host
--no_case
--pcre "/DESCRIBE\s+\/\s+RTSP\//i"
--context header
--no_case;
The no-case keyword forced the FortiGate unit to
perform a case-insensitive pattern match.
--offset <offset_int>;
The FortiGate unit starts looking for the contents the
specified number of bytes into the payload. The
specified number of bytes is an absolute value in the
payload. Follow the
offset
keyword with the
depth
keyword to stop looking for a match after a specified
number of bytes. If no
depth
is specified, the FortiGate
unit continues looking for a match until the end of the
payload.
The
offset
must be between 0 and 65535.
--pattern
[!]"<pattern_str>";
The FortiGate unit will search for the specified pattern.
A
pattern
keyword normally is followed by a
context
keyword to define where to look for the
pattern in the packet. If a
context
keyword does not
present, the FortiGate unit looks for the pattern
anywhere in the packet buffer.
To have the FortiGate search for a packet that does not
contain the specified URI, add an exclamation mark (!)
before the URI.
Example:
--pattern "/level/"
--pattern "|E8 D9FF FFFF|/bin/sh"
--pattern !"|20|RTSP/"
Table 4: Content keywords (Continued)
Keyword and value
Description
Содержание FortiGate 3.0 MR7
Страница 1: ...www fortinet com FortiGate IPS User Guide Version 3 0 MR7 U S E R G U I D E...
Страница 50: ...FortiGate IPS User Guide Version 3 0 MR7 50 01 30007 0080 20080916 Understanding the anomalies DoS sensors...
Страница 60: ...FortiGate Version 3 0 MR7 IPS User Guide 60 01 30007 0080 20080916 Index T technical support 8...
Страница 61: ...www fortinet com...
Страница 62: ...www fortinet com...