Fortinet Network Device IPS User Manual

Page 26

Advertising
background image

FortiGate IPS User Guide Version 3.0 MR7

26

01-30007-0080-20080916

Creating custom signatures

Custom signatures

--byte_test
<bytes_to_convert>,
<operator>, <value>,
<offset>[, relative]
[, big] [, little]
[, string] [, hex]
[, dec] [, oct];

The FortiGate unit compares a byte field against a

specific value (with operator). This keyword is capable

of testing binary values or converting representative

byte strings to their binary equivalent and testing them.
The available keyword options include:

<bytes_to_convert>: The number of bytes to
compare.

<operator>: The operation to perform when
comparing the value (<,>,=,!,&).

<value>: The value to compare the converted
value against.

<offset>: The number of bytes into the payload to
start processing.

relative: Use an offset relative to last pattern
match.

big: Process the data as big endian (default).

little: Process the data as little endian.

string: The data is a string in the packet.

hex: The converted string data is represented in
hexadecimal notation.

dec: The converted string data is represented in
decimal notation.

oct: The converted string data is represented in
octal notation.

--depth <depth_int>;

The FortiGate unit looks for the contents within the

specified number of bytes after the starting point

defined by the offset keyword. If no offset is

specified, the offset is assumed to be equal to 0.
If the value of the depth keyword is smaller than the

length of the value of the content keyword, this

signature will never be matched.
The depth must be between 0 and 65535.

--distance <dist_int>;

The FortiGate unit searches for the contents within the

specified number of bytes relative to the end of the

previously matched contents. If the within keyword is

not specified, continue looking for a match until the end

of the payload.
The distance must be between 0 and 65535.

--content
[!]"<content_str>";

Deprecated, see pattern and context keywords.
The FortiGate unit will search for the content string in

the packet payload. The content string must be

enclosed in double quotes.
To have the FortiGate search for a packet that does not

contain the specified context string, add an exclamation

mark (!) before the content string.
Multiple content items can be specified in one rule. The

value can contain mixed text and binary data. The

binary data is generally enclosed within the pipe (|)

character.
The double quote ("), pipe sign(|) and colon(:)

characters must be escaped using a back slash if

specified in a content string.

Table 4: Content keywords (Continued)

Keyword and value

Description

Advertising
Popular Brands
Popular manuals