Custom signatures

You can create custom IPS signatures and custom application signatures to further extend protection. For example, you can use custom IPS signatures to protect unusual or specialized applications or even custom platforms from known and unknown attacks.

All custom signatures follow a particular syntax. Each begins with a header and is followed by one or more keywords. A custom signature definition is limited to a maximum length of 512 characters. A definition can be a single line or span multiple lines connected by a backslash (\) at the end of each line.

A custom signature definition begins with a header, followed by a set of keyword/value pairs enclosed by parenthesis [( )]. The keyword and value pairs are separated by a semicolon (;) and consist of a keyword and a value separated by a space. The following is the basic format of a definition:

HEADER (KEYWORD VALUE;)

 

You can use as many keyword/value pairs as required within the 512-character limit.

Creating a custom signature

The FortiProxy predefined signatures cover common attacks. If you use an unusual or specialized application or an uncommon platform, add custom signatures based on the security alerts released by the application and platform vendors.

To create a custom application signature:
  1. Go to Security Profiles > Application Control.
  2. Select [View Application Signatures].
  3. Select Create New to add a new custom signature.
  4. Enter a Name for the custom signature.
  5. Optionally, enter Comments to describe the new signature.
  6. Enter the Signature.
  7. Select OK.
To create a custom IPS signature:
  1. Go to Security Profiles > Intrusion Prevention.
  2. Select [View IPS Signatures].
  3. Select Create New to add a new custom signature.
  4. Enter a Name for the custom signature.
  5. Optionally, enter Comments to describe the new signature.
  6. Enter the Signature.
  7. Select OK.

Valid syntax

The following table shows the valid characters and basic structure. For details about each keyword and its associated values, see Custom signature keywords.

Field Valid Characters Usage
HEADER F-SBID The header for an attack definition signature. Each custom signature must begin with this header.
KEYWORD Each keyword must start with a pair of dashes (--) and consist of a string of 1 to 19 characters.

Normally, keywords are an English word or English words connected by an underscore (_). Keywords are case insensitive. 		The keyword identifies a parameter.
VALUE Double quotes (") must be used around the value if it contains a space and/or a semicolon (;). If the value is NULL, the space between the KEYWORD and VALUE can be omitted. Values are case sensitive.

NOTE: If double quotes are used for quoting the value, the double quotes are not considered as part of the value string.		 The value is set specifically for a parameter identified by a keyword.

Open topic with navigation