FortiOS 6 – Custom signature keywords

Leave a reply

TCP header keywords

ack

Syntax: –ack <ack_int>;

Description:

Check for the specified TCP acknowledge number.

dst_port

Syntax: –dst_port [!]{<port_int> | :<port_int> | <port_int>: | <port_ int>:<port_int>};

Description:

Use the dst_port keyword to specify the destination port number.

You can specify a single port or port range:

l <port_int> is a single port. l :<port_int> includes the specified port and all lower numbered ports. l <port_int>: includes the specified port and all higher numbered ports. l <port_int>:<port_int> includes the two specified ports and all ports in between.

seq

Syntax: –seq [operator,]<number>[,relative];

Description:

Check for the specified TCP sequence number.

l operator includes =,<,>,!. l relative indicates it’s relative to the initial sequence number of the TCP session.

src_port

Syntax: –src_port [!]{<port_int> | :<port_int> | <port_int>: | <port_ int>:<port_int>};

Description:

Use the src_port keyword to specify the source port number. You can specify a single port or port range:

l <port_int> is a single port. l :<port_int> includes the specified port and all lower numbered ports. l <port_int>: includes the specified port and all higher numbered ports. l <port_int>:<port_int> includes the two specified ports and all ports in between.

tcp_flags

Syntax: –tcp_flags <SAFRUP120>[!|*|+] [,<SAFRUP120>];

Description:

Specify the TCP flags to match in a packet.

  • S: Match the SYN flag. l A: Match the ACK flag. l F: Match the FIN flag.

R: Match the RST flag. l U: Match the URG flag. l P: Match the PSH flag. l 1: Match Reserved bit 1. l 2: Match Reserved bit 2. l 0: Match No TCP flags set. l !: Match if the specified bits are not set. l *: Match if any of the specified bits are set.

  • +: Match on the specified bits, plus any others.

The first part if the value (<SAFRUP120>) defines the bits that must be present for a successful match.

Example:

–tcp_flags AP only matches the case where both A and P bits are set.

The second part ([,<SAFRUP120>]) is optional, and defines the additional bits that can be present for a match.

For example tcp_flags S,12 matches the following combinations of flags: S, S and 1, S and 2, S and 1 and 2. The modifiers !, * and + cannot be used in the second part.

window_size

Syntax: –window_size [!]<window_int>;

Description:

Check for the specified TCP window size. You can specify the window size as a hexadecimal or decimal integer. A hexadecimal value must be preceded by 0x. To have the FortiGate search for the absence of the specified window size, add an exclamation mark (!) before the window size.

Pages: 1 2 3 4 5 6 7
This entry was posted in Administration Guides, FortiOS 6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.