Fortinet Network Device IPS User Manual

Page 35

Advertising
background image

Custom signatures

Creating custom signatures

FortiGate IPS User Guide Version 3.0 MR7
01-30007-0080-20080916

35

Example 2: signature to block the SMTP ‘vrfy’ command

The SMTP vrfy command can be used to verify the existence of a single email
address, or it can be used to list all of the valid email accounts on an email server.
A spammer could potentially use this command to obtain a list of all valid email
users and direct spam to their inboxes.

In this example, we will create a custom signature to block the use of the vrfy
command. Since the custom signature blocks the vrfy command from coming
through the FortiGate unit, the administrator can still use the command on the
internal network.

1

Custom signature basic format

All custom signatures have a header, and at least one keyword/value pair. The
header is always the same:

F-SBID( )

The keyword/value pairs appear within the parentheses and each pair is followed
by a semicolon.

2

Choosing a name for the custom signature

Every custom signature requires a name, so it is good practice to assign a name
before any other keywords are added.

Use the --name keyword to assign the custom signature a name. The name

value follows the keyword after a space. Enclose the name value in double-
quotes:

F-SBID( --name "Block.SMTP.VRFY.CMD"; )

The signature, as it appears here, will not do anything if used. It has a name, but
doesn’t look for any patterns in network traffic. You must specify a pattern for the
FortiGate unit to search for.

3

Adding a signature pattern

Use the --pattern keyword to specify what the FortiGate unit will search for:

F-SBID( --name "Block.SMTP.VRFY.CMD"; --pattern "vrfy"; )

The signature will now detect the vrfy command appearing in network traffic. The
custom signature should only detect the command in SMTP traffic, however. Any
other traffic with the pattern should be allowed to pass. For example, an Email
message discussing the vrfy command should not be stopped.

4

Specifying the service

Use the --service keyword to limit the effect of the custom signature to only the

HTTP protocol.

F-SBID( --name "Block.SMTP.VRFY.CMD"; --pattern "vrfy";

--service SMTP; )

The FortiGate unit will limit its search for the pattern to the SMTP protocol.

Even though the SMTP protocol uses only TCP traffic, the FortiGate will search
for SMTP protocol communication in TCP, UDP, and ICMP traffic. This is a
needless waste of system resources.

5

Specifying the traffic type.

Advertising
Popular Brands
Popular manuals