FortiOS 6 – Custom signature keywords

Other keywords

data_size

Syntax: –data_size {<size_int> | <<size_int> | ><size_int>;

Description:

Test the packet payload size. With data_size specified, packet reassembly is turned off automatically. So a signature with data_size and only_stream values set is wrong.

  • <size_int> is a particular packet size. l <<size_int> is a packet smaller than the specified size. ><size_int> is a packet larger than the specified size.

Examples:

  • –data_size 300; l –data_size <300; l –data_size >300;

data_at

Syntax: –data_at <offset_int>[, relative];

Description:

Verify that the payload has data at a specified offset, optionally looking for data relative to the end of the previous content match. dump-all-html

Syntax:–dump-all-html Description:

Dump all HTML files for benchmarking via iSniff. When there is no file type specified, all HTML files are dumped.

rate

Syntax: –rate <matches_int>,<time_int>;

Description:

Instead of generating log entries every time the signature is detected, use this keyword to generate a log entry only if the signature is detected a specified number of times within a specified time period.

l <matches_int> is the number of times a signature must be detected. l <time_int> is the length of time in which the signature must be detected, in seconds.

For example, if a custom signature detects a pattern, a log entry will be created every time the signature is detected. If –rate 100,10; is added to the signature, a log entry will be created if the signature is detected 100 times in the previous 10 seconds. Use this command with –track to further limit log entries to when the specified number of detections occur within a certain time period involving the same source or destination address rather than all addresses.

rpc_num

Syntax: –rpc_num <app_int>[, <ver_int> | *][, <proc_int> | *>];

Description:

Check for RPC application, version, and procedure numbers in SUNRPC CALL requests. The * wild card can be used for version and procedure numbers.

same_ip

Syntax: –same_ip;

Description:

Check that the source and the destination have the same IP addresses.

track

Syntax: –track {SRC_IP |DST_IP |DHCP_CLIENT |DNS_DOMAIN}[,block_int];

Description:

When used with –rate, this keyword narrows the custom signature rate totals to individual addresses.

  • SRC_IP: tracks the packet’s source IP. l DST_IP: tracks the packet’s destination IP. l DHCP_CLIENT: tracks the DHCP client’s MAC address. l DNS_DOMAIN: counts the number of any specific domain name.
  • block_int has the FortiGate unit block connections for the specified number of seconds, from the client or to the server, depending on which is specified.

For example, if –rate 100,10 is added to the signature, a log entry will be created if the signature is detected 100 times in the previous 10 seconds. The FortiGate unit maintains a single total, regardless of source and destination address.

If the same custom signature also includes –track client; matches are totaled separately for each source address. A log entry is added when the signature is detected 100 times in 10 seconds within traffic from the same source address.

The –track keyword can also be used without –rate. If an integer is specified, the client or server will be blocked for the specified number of seconds every time the signature is detected.

This entry was posted in Administration Guides, FortiOS 6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.