FortiOS 6 – Custom signature keywords

Leave a reply

TCP header keywords

ack

Syntax: –ack <ack_int>;

Description:

Check for the specified TCP acknowledge number.

dst_port

Syntax: –dst_port [!]{<port_int> | :<port_int> | <port_int>: | <port_ int>:<port_int>};

Description:

Use the dst_port keyword to specify the destination port number.

You can specify a single port or port range:

l <port_int> is a single port. l :<port_int> includes the specified port and all lower numbered ports. l <port_int>: includes the specified port and all higher numbered ports. l <port_int>:<port_int> includes the two specified ports and all ports in between.

seq

Syntax: –seq [operator,]<number>[,relative];

Description:

Check for the specified TCP sequence number.

l operator includes =,<,>,!. l relative indicates it’s relative to the initial sequence number of the TCP session.

src_port

Syntax: –src_port [!]{<port_int> | :<port_int> | <port_int>: | <port_ int>:<port_int>};

Description:

Use the src_port keyword to specify the source port number. You can specify a single port or port range:

l <port_int> is a single port. l :<port_int> includes the specified port and all lower numbered ports. l <port_int>: includes the specified port and all higher numbered ports. l <port_int>:<port_int> includes the two specified ports and all ports in between.

tcp_flags

Syntax: –tcp_flags <SAFRUP120>[!|*|+] [,<SAFRUP120>];

Description:

Specify the TCP flags to match in a packet.

  • S: Match the SYN flag. l A: Match the ACK flag. l F: Match the FIN flag.

R: Match the RST flag. l U: Match the URG flag. l P: Match the PSH flag. l 1: Match Reserved bit 1. l 2: Match Reserved bit 2. l 0: Match No TCP flags set. l !: Match if the specified bits are not set. l *: Match if any of the specified bits are set.

  • +: Match on the specified bits, plus any others.

The first part if the value (<SAFRUP120>) defines the bits that must be present for a successful match.

Example:

–tcp_flags AP only matches the case where both A and P bits are set.

The second part ([,<SAFRUP120>]) is optional, and defines the additional bits that can be present for a match.

For example tcp_flags S,12 matches the following combinations of flags: S, S and 1, S and 2, S and 1 and 2. The modifiers !, * and + cannot be used in the second part.

window_size

Syntax: –window_size [!]<window_int>;

Description:

Check for the specified TCP window size. You can specify the window size as a hexadecimal or decimal integer. A hexadecimal value must be preceded by 0x. To have the FortiGate search for the absence of the specified window size, add an exclamation mark (!) before the window size.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Pages: 1 2 3 4 5 6 7
This entry was posted in Administration Guides, FortiOS 6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.