Fortinet Network Device IPS User Manual
Page 32
FortiGate IPS User Guide Version 3.0 MR7
32
01-30007-0080-20080916
Creating custom signatures
Custom signatures
Table 7: UDP header keywords
Keyword and Value
Description
--dst_port [!]{<port_int> |
:<port_int> | <port_int>: |
<port_int>:<port_int>};
The destination port number.
You can specify a single port or port range:
•
<port_int> is a single port.
•
:<port_int> includes the specified port and
all lower numbered ports.
•
<port_int>: includes the specified port and
all higher numbered ports.
•
<port_int>:<port_int> includes the two
specified ports and all ports in between.
--src_port [!]{<port_int> |
:<port_int> | <port_int>: |
<port_int>:<port_int>};
The source port number.
You can specify a single port or port range:
•
<port_int> is a single port.
•
:<port_int> includes the specified port and
all lower numbered ports.
•
<port_int>: includes the specified port and
all higher numbered ports.
•
<port_int>:<port_int> includes the two
specified ports and all ports in between.
Table 8: ICMP keywords
Keyword and Value
Usage
--icmp_code <code_int>;
Specify the ICMP code to match.
--icmp_id <id_int>;
Check for the specified ICMP ID value.
--icmp_seq <seq_int>;
Check for the specified ICMP sequence value.
--icmp_type <type_int>;
Specify the ICMP type to match.
Table 9: Other keywords
Keyword and Value
Description
--data_size {<size_int> |
<<size_int> | ><size_int> |
<port_int><><port_int>};
Test the packet payload size. With data_size
specified, packet reassembly is turned off
automatically. So a signature with data_size
and only_stream values set is wrong.
•
<size_int> is a particular packet size.
•
<<size_int> is a packet smaller than the
specified size.
•
><size_int> is a packet larger than the
specified size.
•
<size_int><><size_int> within the
range between the specified sizes.
--data_at <offset_int>[,
relative];
Verify that the payload has data at a specified
offset, optionally looking for data relative to the
end of the previous content match.