FortiGate IPS User Guide Version 3.0 MR7
36 01-30007-0080-20080916
Creating custom signatures Custom signatures
Use the --protocol tcp keyword to limit the effect of the custom signature to
only TCP traffic. This will save system resources by not unnecessarily scanning
UDP and ICMP traffic.
F-SBID( --name "Block.SMTP.VRFY.CMD"; --pattern "vrfy";
--service SMTP; --protocol tcp; )
The FortiGate unit will limit its search for the pattern to TCP traffic and ignore the
pattern in UDP and ICMP network traffic.
6 Ignoring case sensitivity
By default, patterns are case sensitive. If a user directed his or her browser to
Example.com, the custom signature would not recognize the URL as a match.
Use the --no_case keyword to make the pattern matching case insensitive.
F-SBID( --name "Block.SMTP.VRFY.CMD"; --pattern "vrfy";
--service SMTP; --no_case; )
Unlike all of the other keywords in this example, the --no_case keyword has no
value. Only the keyword is required.
7 Specifying the context
The SMTP vrfy command will appear in the SMTP header. The
--context host keyword/value pair allows you to limit the pattern search to
only the header.
F-SBID( --name "Block.SMTP.VRFY.CMD"; --pattern "vrfy";
--service SMTP; --no_case; --context header; )
To Next Page
Loading...